diff options
| author | Shigeki Ohtsu <ohtsu@ohtsu.org> | 2018-08-14 23:11:54 +0900 |
|---|---|---|
| committer | Rod Vagg <rod@vagg.org> | 2018-08-16 11:52:37 +1000 |
| commit | 6090e1f54d8e6e8c4ba18091e19faf46c0b09ece (patch) | |
| tree | a2d2fb7b4b4a5e365ac4b6515cf4d7a5c8262d23 /deps/openssl | |
| parent | 32902d09b43e9d7f19eb6178ef5db835652d97c1 (diff) | |
| download | android-node-v8-6090e1f54d8e6e8c4ba18091e19faf46c0b09ece.tar.gz android-node-v8-6090e1f54d8e6e8c4ba18091e19faf46c0b09ece.tar.bz2 android-node-v8-6090e1f54d8e6e8c4ba18091e19faf46c0b09ece.zip | |
deps: upgrade openssl sources to 1.1.0i
This updates all sources in deps/openssl/openssl with openssl-1.1.0i.
PR-URL: https://github.com/nodejs/node/pull/22318
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Diffstat (limited to 'deps/openssl')
406 files changed, 6034 insertions, 2897 deletions
diff --git a/deps/openssl/openssl/.gitignore b/deps/openssl/openssl/.gitignore new file mode 100644 index 0000000000..3dee3922a7 --- /dev/null +++ b/deps/openssl/openssl/.gitignore @@ -0,0 +1,175 @@ +# Ignore editor artefacts +/.dir-locals.el + +# Top level excludes +/Makefile.orig +/MINFO +/TABLE +/*.a +/*.pc +/rehash.time +/inc.* +/makefile.* +/out.* +/tmp.* +/configdata.pm + +# *all* Makefiles +Makefile +# ... except in demos +!/demos/*/Makefile + +# Links under apps +/apps/CA.pl +/apps/tsget +/apps/tsget.pl +/apps/md4.c + +# Auto generated headers +/crypto/buildinf.h +/apps/progs.h +/crypto/include/internal/*_conf.h +/openssl/include/opensslconf.h +/util/domd + +# Executables +/apps/openssl +/test/sha256t +/test/sha512t +/test/gost2814789t +/test/ssltest_old +/test/*test +/test/fips_aesavs +/test/fips_desmovs +/test/fips_dhvs +/test/fips_drbgvs +/test/fips_dssvs +/test/fips_ecdhvs +/test/fips_ecdsavs +/test/fips_rngvs +/test/fips_test_suite +/test/ssltest_old +/test/x509aux +/test/v3ext +/test/versions + +# Certain files that get created by tests on the fly +/test/test-runs +/test/buildtest_* + +# Fuzz stuff. +# Anything without an extension is an executable on Unix, so we keep files +# with extensions. And we keep the corpora subddir versioned as well. +# Anything more generic with extensions that should be ignored will be taken +# care of by general ignores for those extensions (*.o, *.obj, *.exe, ...) +/fuzz/* +!/fuzz/README* +!/fuzz/corpora +!/fuzz/*.* + +# Misc auto generated files +/include/openssl/opensslconf.h +/tools/c_rehash +/tools/c_rehash.pl +/util/shlib_wrap.sh +/tags +/TAGS +/crypto.map +/ssl.map + +# Windows (legacy) +/tmp32 +/tmp32.dbg +/tmp32dll +/tmp32dll.dbg +/out32 +/out32.dbg +/out32dll +/out32dll.dbg +/inc32 +/MINFO +/ms/.rnd +/ms/bcb.mak +/ms/libeay32.def +/ms/nt.mak +/ms/ntdll.mak +/ms/ssleay32.def +/ms/version32.rc + +# Files created on other branches that are not held in git, and are not +# needed on this branch +/include/openssl/asn1_mac.h +/include/openssl/des_old.h +/include/openssl/fips.h +/include/openssl/fips_rand.h +/include/openssl/krb5_asn.h +/include/openssl/kssl.h +/include/openssl/pq_compat.h +/include/openssl/ssl23.h +/include/openssl/tmdiff.h +/include/openssl/ui_compat.h +/test/fips_aesavs.c +/test/fips_desmovs.c +/test/fips_dsatest.c +/test/fips_dssvs.c +/test/fips_hmactest.c +/test/fips_randtest.c +/test/fips_rngvs.c +/test/fips_rsagtest.c +/test/fips_rsastest.c +/test/fips_rsavtest.c +/test/fips_shatest.c +/test/fips_test_suite.c +/test/shatest.c + +##### Generic patterns +# Auto generated assembly language source files +*.s +!/crypto/*/asm/*.s +/crypto/arm*.S +/crypto/*/*.S +*.asm +!/crypto/*/asm/*.asm + +# Object files +*.o +*.obj + +# editor artefacts +*.swp +.#* +\#*# +*~ + +# Certificate symbolic links +*.0 + +# All kinds of executables +*.so +*.so.* +*.dylib +*.dylib.* +*.dll +*.dll.* +*.exe +*.pyc +*.exp +*.lib +*.pdb +*.ilk +*.def +*.rc +*.res + +# Misc generated stuff +Makefile.save +/crypto/**/lib +/engines/**/lib +/ssl/**/lib +*.bak +cscope.* +*.d +pod2htmd.tmp + +# Windows manifest files +*.manifest diff --git a/deps/openssl/openssl/.travis.yml b/deps/openssl/openssl/.travis.yml index b5fc443181..1c1db2b73d 100644 --- a/deps/openssl/openssl/.travis.yml +++ b/deps/openssl/openssl/.travis.yml @@ -61,7 +61,7 @@ matrix: sources: - ubuntu-toolchain-r-test compiler: gcc-5 - env: CONFIG_OPTS="no-asm enable-ubsan enable-rc5 enable-md2 -DPEDANTIC" + env: UBUNTU_GCC_HACK="yes" CONFIG_OPTS="no-asm enable-ubsan enable-rc5 enable-md2 -DPEDANTIC" - os: linux addons: apt: @@ -69,7 +69,7 @@ matrix: - binutils-mingw-w64 - gcc-mingw-w64 compiler: i686-w64-mingw32-gcc - env: CONFIG_OPTS="no-pic" TESTS="-test_fuzz" + env: CONFIG_OPTS="no-pic" - os: linux addons: apt: @@ -85,7 +85,7 @@ matrix: - binutils-mingw-w64 - gcc-mingw-w64 compiler: x86_64-w64-mingw32-gcc - env: CONFIG_OPTS="no-pic" TESTS="-test_fuzz" + env: CONFIG_OPTS="no-pic" - os: linux addons: apt: @@ -112,6 +112,10 @@ before_script: srcdir=.; top=.; fi + - if [ -n "$UBUNTU_GCC_HACK" ]; then + $CC -dumpspecs | sed "s/--push-state//g; s/--pop-state/--as-needed/g" > gcc-specs.txt; + CC="$CC -specs=gcc-specs.txt"; + fi - if [ "$CC" == i686-w64-mingw32-gcc ]; then export CROSS_COMPILE=${CC%%gcc}; unset CC; $srcdir/Configure mingw $CONFIG_OPTS -Wno-pedantic-ms-format; @@ -186,7 +190,7 @@ script: fi - if [ -n "$DESTDIR" ]; then mkdir "../$DESTDIR"; - if $make install install_docs DESTDIR="../$DESTDIR"; then + if $make install DESTDIR="../$DESTDIR"; then echo -e '+\057\057\057\057\057 MAKE INSTALL_DOCS OK'; else echo -e '+\057\057\057\057\057 MAKE INSTALL_DOCS FAILED'; false; diff --git a/deps/openssl/openssl/CHANGES b/deps/openssl/openssl/CHANGES index 9d65bc3a77..9f0b94743b 100644 --- a/deps/openssl/openssl/CHANGES +++ b/deps/openssl/openssl/CHANGES @@ -7,6 +7,81 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.1.0h and 1.1.0i [14 Aug 2018] + + *) Client DoS due to large DH parameter + + During key agreement in a TLS handshake using a DH(E) based ciphersuite a + malicious server can send a very large prime value to the client. This will + cause the client to spend an unreasonably long period of time generating a + key for this prime resulting in a hang until the client has finished. This + could be exploited in a Denial Of Service attack. + + This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken + (CVE-2018-0732) + [Guido Vranken] + + *) Cache timing vulnerability in RSA Key Generation + + The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to + a cache timing side channel attack. An attacker with sufficient access to + mount cache timing attacks during the RSA key generation process could + recover the private key. + + This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera + Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia. + (CVE-2018-0737) + [Billy Brumley] + + *) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str + parameter is no longer accepted, as it leads to a corrupt table. NULL + pem_str is reserved for alias entries only. + [Richard Levitte] + + *) Revert blinding in ECDSA sign and instead make problematic addition + length-invariant. Switch even to fixed-length Montgomery multiplication. + [Andy Polyakov] + + *) Change generating and checking of primes so that the error rate of not + being prime depends on the intended use based on the size of the input. + For larger primes this will result in more rounds of Miller-Rabin. + The maximal error rate for primes with more than 1080 bits is lowered + to 2^-128. + [Kurt Roeckx, Annie Yousar] + + *) Increase the number of Miller-Rabin rounds for DSA key generating to 64. + [Kurt Roeckx] + + *) Add blinding to ECDSA and DSA signatures to protect against side channel + attacks discovered by Keegan Ryan (NCC Group). + [Matt Caswell] + + *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we + now allow empty (zero character) pass phrases. + [Richard Levitte] + + *) Certificate time validation (X509_cmp_time) enforces stricter + compliance with RFC 5280. Fractional seconds and timezone offsets + are no longer allowed. + [Emilia Käsper] + + *) Fixed a text canonicalisation bug in CMS + + Where a CMS detached signature is used with text content the text goes + through a canonicalisation process first prior to signing or verifying a + signature. This process strips trailing space at the end of lines, converts + line terminators to CRLF and removes additional trailing line terminators + at the end of a file. A bug in the canonicalisation process meant that + some characters, such as form-feed, were incorrectly treated as whitespace + and removed. This is contrary to the specification (RFC5485). This fix + could mean that detached text data signed with an earlier version of + OpenSSL 1.1.0 may fail to verify using the fixed version, or text data + signed with a fixed OpenSSL may fail to verify with an earlier version of + OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data + and use the "-binary" flag (for the "cms" command line application) or set + the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()). + [Matt Caswell] + Changes between 1.1.0g and 1.1.0h [27 Mar 2018] *) Constructed ASN.1 types with a recursive definition could exceed the stack @@ -1144,13 +1219,13 @@ [Steve Henson] *) Experimental encrypt-then-mac support. - + Experimental support for encrypt then mac from draft-gutmann-tls-encrypt-then-mac-02.txt To enable it set the appropriate extension number (0x42 for the test server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42 - + For non-compliant peers (i.e. just about everything) this should have no effect. @@ -1201,7 +1276,7 @@ *) Use separate DRBG fields for internal and external flags. New function FIPS_drbg_health_check() to perform on demand health checking. Add - generation tests to fips_test_suite with reduced health check interval to + generation tests to fips_test_suite with reduced health check interval to demonstrate periodic health checking. Add "nodh" option to fips_test_suite to skip very slow DH test. [Steve Henson] @@ -1215,7 +1290,7 @@ combination: call this in fips_test_suite. [Steve Henson] - *) Add support for canonical generation of DSA parameter 'g'. See + *) Add support for canonical generation of DSA parameter 'g'. See FIPS 186-3 A.2.3. *) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and @@ -1239,7 +1314,7 @@ requested amount of entropy. [Steve Henson] - *) Add PRNG security strength checks to RSA, DSA and ECDSA using + *) Add PRNG security strength checks to RSA, DSA and ECDSA using information in FIPS186-3, SP800-57 and SP800-131A. [Steve Henson] @@ -1331,7 +1406,7 @@ can be set or retrieved with a ctrl. The IV length is by default 12 bytes (96 bits) but can be set to an alternative value. If the IV length exceeds the maximum IV length (currently 16 bytes) it cannot be - set before the key. + set before the key. [Steve Henson] *) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the @@ -1374,7 +1449,7 @@ Add CMAC pkey methods. [Steve Henson] - *) Experimental renegotiation in s_server -www mode. If the client + *) Experimental renegotiation in s_server -www mode. If the client browses /reneg connection is renegotiated. If /renegcert it is renegotiated requesting a certificate. [Steve Henson] @@ -1394,7 +1469,7 @@ *) New macro __owur for "OpenSSL Warn Unused Result". This makes use of a gcc attribute to warn if the result of a function is ignored. This is enable if DEBUG_UNUSED is set. Add to several functions in evp.h - whose return value is often ignored. + whose return value is often ignored. [Steve Henson] *) New -noct, -requestct, -requirect and -ctlogfile options for s_client. @@ -3628,7 +3703,7 @@ *) New option -sigopt to dgst utility. Update dgst to use EVP_Digest{Sign,Verify}*. These two changes make it possible to use - alternative signing parameters such as X9.31 or PSS in the dgst + alternative signing parameters such as X9.31 or PSS in the dgst utility. [Steve Henson] @@ -12379,7 +12454,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Fixed sk_insert which never worked properly. [Steve Henson] - *) Fix ASN1 macros so they can handle indefinite length constructed + *) Fix ASN1 macros so they can handle indefinite length constructed EXPLICIT tags. Some non standard certificates use these: they can now be read in. [Steve Henson] diff --git a/deps/openssl/openssl/CONTRIBUTING b/deps/openssl/openssl/CONTRIBUTING index 1eebaf37ec..a6977b8117 100644 --- a/deps/openssl/openssl/CONTRIBUTING +++ b/deps/openssl/openssl/CONTRIBUTING @@ -1,26 +1,26 @@ -HOW TO CONTRIBUTE PATCHES TO OpenSSL ------------------------------------- +HOW TO CONTRIBUTE TO OpenSSL +---------------------------- (Please visit https://www.openssl.org/community/getting-started.html for other ideas about how to contribute.) -Development is coordinated on the openssl-dev mailing list (see the -above link or https://mta.openssl.org for information on subscribing). -If you are unsure as to whether a feature will be useful for the general -OpenSSL community you might want to discuss it on the openssl-dev mailing -list first. Someone may be already working on the same thing or there -may be a good reason as to why that feature isn't implemented. +Development is done on GitHub, https://github.com/openssl/openssl. -To submit a patch, make a pull request on GitHub. If you think the patch -could use feedback from the community, please start a thread on openssl-dev -to discuss it. +To request new features or report bugs, please open an issue on GitHub -Having addressed the following items before the PR will help make the -acceptance and review process faster: +To submit a patch, please open a pull request on GitHub. If you are thinking +of making a large contribution, open an issue for it before starting work, +to get comments from the community. Someone may be already working on +the same thing or there may be reasons why that feature isn't implemented. - 1. Anything other than trivial contributions will require a contributor - licensing agreement, giving us permission to use your code. See - https://www.openssl.org/policies/cla.html for details. +To make it easier to review and accept your pull request, please follow these +guidelines: + + 1. Anything other than a trivial contribution requires a Contributor + License Agreement (CLA), giving us permission to use your code. See + https://www.openssl.org/policies/cla.html for details. If your + contribution is too small to require a CLA, put "CLA: trivial" on a + line by itself in your commit message body. 2. All source files should start with the following text (with appropriate comment characters at the start of each line and the @@ -34,21 +34,38 @@ acceptance and review process faster: https://www.openssl.org/source/license.html 3. Patches should be as current as possible; expect to have to rebase - often. We do not accept merge commits; You will be asked to remove - them before a patch is considered acceptable. + often. We do not accept merge commits, you will have to remove them + (usually by rebasing) before it will be acceptable. 4. Patches should follow our coding style (see - https://www.openssl.org/policies/codingstyle.html) and compile without - warnings. Where gcc or clang is available you should use the + https://www.openssl.org/policies/codingstyle.html) and compile + without warnings. Where gcc or clang is available you should use the --strict-warnings Configure option. OpenSSL compiles on many varied - platforms: try to ensure you only use portable features. - Clean builds via Travis and AppVeyor are expected, and done whenever - a PR is created or updated. + platforms: try to ensure you only use portable features. Clean builds + via Travis and AppVeyor are required, and they are started automatically + whenever a PR is created or updated. 5. When at all possible, patches should include tests. These can either be added to an existing test, or completely new. Please see test/README for information on the test framework. 6. New features or changed functionality must include - documentation. Please look at the "pod" files in doc/apps, doc/crypto - and doc/ssl for examples of our style. + documentation. Please look at the "pod" files in doc for + examples of our style. + + 7. For user visible changes (API changes, behaviour changes, ...), + consider adding a note in CHANGES. This could be a summarising + description of the change, and could explain the grander details. + Have a look through existing entries for inspiration. + Please note that this is NOT simply a copy of git-log oneliners. + Also note that security fixes get an entry in CHANGES. + This file helps users get more in depth information of what comes + with a specific release without having to sift through the higher + noise ratio in git-log. + + 8. For larger or more important user visible changes, as well as + security fixes, please add a line in NEWS. On exception, it might be + worth adding a multi-line entry (such as the entry that announces all + the types that became opaque with OpenSSL 1.1.0). + This file helps users get a very quick summary of what comes with a + specific release, to see if an upgrade is worth the effort. diff --git a/deps/openssl/openssl/Configurations/00-base-templates.conf b/deps/openssl/openssl/Configurations/00-base-templates.conf index a6b52de498..3455b3ace8 100644 --- a/deps/openssl/openssl/Configurations/00-base-templates.conf +++ b/deps/openssl/openssl/Configurations/00-base-templates.conf @@ -247,7 +247,7 @@ sha1_asm_src => "sha1-armv4-large.S sha256-armv4.S sha512-armv4.S", modes_asm_src => "ghash-armv4.S ghashv8-armx.S", chacha_asm_src => "chacha-armv4.S", - poly1305_asm_src=> "poly1305-armv4.S", + poly1305_asm_src=> "poly1305-armv4.S", perlasm_scheme => "void" }, aarch64_asm => { diff --git a/deps/openssl/openssl/Configurations/10-main.conf b/deps/openssl/openssl/Configurations/10-main.conf index b49f04b5d7..6c05c2809f 100644 --- a/deps/openssl/openssl/Configurations/10-main.conf +++ b/deps/openssl/openssl/Configurations/10-main.conf @@ -14,7 +14,7 @@ sub vc_win64a_info { asflags => "/c /Cp /Cx /Zi", asoutflag => "/Fo" }; } else { - $die->("NASM not found - please read INSTALL and NOTES.WIN for further details\n"); + $die->("NASM not found - make sure it's installed and available on %PATH%\n"); $vc_win64a_info = { as => "{unknown}", asflags => "", asoutflag => "" }; @@ -39,7 +39,7 @@ sub vc_win32_info { asoutflag => "/Fo", perlasm_scheme => "win32" }; } else { - $die->("NASM not found - please read INSTALL and NOTES.WIN for further details\n"); + $die->("NASM not found - make sure it's installed and available on %PATH%\n"); $vc_win32_info = { as => "{unknown}", asflags => "", asoutflag => "", @@ -428,8 +428,17 @@ sub vms_info { # even PA-RISC 2.0-specific code paths, which are chosen at run-time, # thus adequate performance is provided even with PA-RISC 1.1 build. # <appro@fy.chalmers.se> - "hpux-parisc-gcc" => { + "hpux-common" => { inherit_from => [ "BASE_unix" ], + template => 1, + defines => add("_XOPEN_SOURCE", "_XOPEN_SOURCE_EXTENDED", + "_HPUX_ALT_XOPEN_SOCKET_API"), + thread_scheme => "pthreads", + dso_scheme => "dlfcn", # overridden in 32-bit PA-RISC builds + shared_target => "hpux-shared", + }, + "hpux-parisc-gcc" => { + inherit_from => [ "hpux-common" ], cc => "gcc", cflags => combine(picker(default => "-DB_ENDIAN -DBN_DIV2W", debug => "-O0 -g", @@ -437,9 +446,7 @@ sub vms_info { threads("-pthread")), ex_libs => add("-Wl,+s -ldld", threads("-pthread")), bn_ops => "BN_LLONG", - thread_scheme => "pthreads", dso_scheme => "dl", - shared_target => "hpux-shared", shared_cflag => "-fPIC", shared_ldflag => "-shared", shared_extension => ".sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -449,7 +456,7 @@ sub vms_info { multilib => "/pa1.1", }, "hpux64-parisc2-gcc" => { - inherit_from => [ "BASE_unix", asm("parisc20_64_asm") ], + inherit_from => [ "hpux-common", asm("parisc20_64_asm") ], cc => "gcc", cflags => combine(picker(default => "-DB_ENDIAN", debug => "-O0 -g", @@ -457,9 +464,6 @@ sub vms_info { threads("-D_REENTRANT")), ex_libs => add("-ldl"), bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR", - thread_scheme => "pthreads", - dso_scheme => "dlfcn", - shared_target => "hpux-shared", shared_cflag => "-fpic", shared_ldflag => "-shared", shared_extension => ".sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -471,7 +475,7 @@ sub vms_info { # Chris Ruemmler <ruemmler@cup.hp.com> # Kevin Steves <ks@hp.se> "hpux-parisc-cc" => { - inherit_from => [ "BASE_unix" ], + inherit_from => [ "hpux-common" ], cc => "cc", cflags => combine(picker(default => "+Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY", debug => "+O0 +d -g", @@ -479,9 +483,7 @@ sub vms_info { threads("-D_REENTRANT")), ex_libs => add("-Wl,+s -ldld",threads("-lpthread")), bn_ops => "RC4_CHAR", - thread_scheme => "pthreads", dso_scheme => "dl", - shared_target => "hpux-shared", shared_cflag => "+Z", shared_ldflag => "-b", shared_extension => ".sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -492,7 +494,7 @@ sub vms_info { multilib => "/pa1.1", }, "hpux64-parisc2-cc" => { - inherit_from => [ "BASE_unix", asm("parisc20_64_asm") ], + inherit_from => [ "hpux-common", asm("parisc20_64_asm") ], cc => "cc", cflags => combine(picker(default => "+DD64 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY", debug => "+O0 +d -g", @@ -500,9 +502,6 @@ sub vms_info { threads("-D_REENTRANT")), ex_libs => add("-ldl",threads("-lpthread")), bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR", - thread_scheme => "pthreads", - dso_scheme => "dlfcn", - shared_target => "hpux-shared", shared_cflag => "+Z", shared_ldflag => "+DD64 -b", shared_extension => ".sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -511,7 +510,7 @@ sub vms_info { # HP/UX IA-64 targets "hpux-ia64-cc" => { - inherit_from => [ "BASE_unix", asm("ia64_asm") ], + inherit_from => [ "hpux-common", asm("ia64_asm") ], cc => "cc", cflags => combine(picker(default => "-Ae +DD32 +Olit=all -z -DB_ENDIAN", debug => "+O0 +d -g", @@ -519,9 +518,6 @@ sub vms_info { threads("-D_REENTRANT")), ex_libs => add("-ldl",threads("-lpthread")), bn_ops => "SIXTY_FOUR_BIT", - thread_scheme => "pthreads", - dso_scheme => "dlfcn", - shared_target => "hpux-shared", shared_cflag => "+Z", shared_ldflag => "+DD32 -b", shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -530,7 +526,7 @@ sub vms_info { # Frank Geurts <frank.geurts@nl.abnamro.com> has patiently assisted # with debugging of the following config. "hpux64-ia64-cc" => { - inherit_from => [ "BASE_unix", asm("ia64_asm") ], + inherit_from => [ "hpux-common", asm("ia64_asm") ], cc => "cc", cflags => combine(picker(default => "-Ae +DD64 +Olit=all -z -DB_ENDIAN", debug => "+O0 +d -g", @@ -538,9 +534,6 @@ sub vms_info { threads("-D_REENTRANT")), ex_libs => add("-ldl", threads("-lpthread")), bn_ops => "SIXTY_FOUR_BIT_LONG", - thread_scheme => "pthreads", - dso_scheme => "dlfcn", - shared_target => "hpux-shared", shared_cflag => "+Z", shared_ldflag => "+DD64 -b", shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -548,7 +541,7 @@ sub vms_info { }, # GCC builds... "hpux-ia64-gcc" => { - inherit_from => [ "BASE_unix", asm("ia64_asm") ], + inherit_from => [ "hpux-common", asm("ia64_asm") ], cc => "gcc", cflags => combine(picker(default => "-DB_ENDIAN", debug => "-O0 -g", @@ -556,16 +549,13 @@ sub vms_info { threads("-pthread")), ex_libs => add("-ldl", threads("-pthread")), bn_ops => "SIXTY_FOUR_BIT", - thread_scheme => "pthreads", - dso_scheme => "dlfcn", - shared_target => "hpux-shared", shared_cflag => "-fpic", shared_ldflag => "-shared", shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", multilib => "/hpux32", }, "hpux64-ia64-gcc" => { - inherit_from => [ "BASE_unix", asm("ia64_asm") ], + inherit_from => [ "hpux-common", asm("ia64_asm") ], cc => "gcc", cflags => combine(picker(default => "-mlp64 -DB_ENDIAN", debug => "-O0 -g", @@ -573,9 +563,6 @@ sub vms_info { threads("-pthread")), ex_libs => add("-ldl", threads("-pthread")), bn_ops => "SIXTY_FOUR_BIT_LONG", - thread_scheme => "pthreads", - dso_scheme => "dlfcn", - shared_target => "hpux-shared", shared_cflag => "-fpic", shared_ldflag => "-mlp64 -shared", shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -1223,6 +1210,7 @@ sub vms_info { perlasm_scheme => "aix32", dso_scheme => "dlfcn", shared_target => "aix-shared", + shared_cflag => "-qpic", shared_ldflag => "-q32 -G", shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", arflags => "-X 32", @@ -1241,6 +1229,7 @@ sub vms_info { perlasm_scheme => "aix64", dso_scheme => "dlfcn", shared_target => "aix-shared", + shared_cflag => "-qpic", shared_ldflag => "-q64 -G", shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", arflags => "-X 64", diff --git a/deps/openssl/openssl/Configurations/90-team.conf b/deps/openssl/openssl/Configurations/90-team.conf deleted file mode 100644 index 0a83c22aaa..0000000000 --- a/deps/openssl/openssl/Configurations/90-team.conf +++ /dev/null @@ -1,112 +0,0 @@ -## -*- mode: perl; -*- -## Build configuration targets for openssl-team members - -%targets = ( - "purify" => { - cc => "purify gcc", - cflags => "-g -Wall", - thread_scheme => "(unknown)", - ex_libs => add(" ","-lsocket -lnsl"), - }, - "debug" => { - cc => "gcc", - cflags => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror", - thread_scheme => "(unknown)", - }, - "debug-erbridge" => { - inherit_from => [ "x86_64_asm" ], - cc => "gcc", - cflags => combine("$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -m64 -DL_ENDIAN -DTERMIO -g", - threads("-D_REENTRANT")), - ex_libs => add(" ","-ldl"), - bn_ops => "SIXTY_FOUR_BIT_LONG", - thread_scheme => "pthreads", - perlasm_scheme => "elf", - dso_scheme => "dlfcn", - shared_target => "linux-shared", - shared_cflag => "-fPIC", - shared_ldflag => "-m64", - shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", - multilib => "64", - }, - "debug-linux-pentium" => { - inherit_from => [ "x86_elf_asm" ], - cc => "gcc", - cflags => combine("-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentium -Wall", - threads("-D_REENTRANT")), - ex_libs => add(" ","-ldl"), - bn_ops => "BN_LLONG", - thread_scheme => "pthreads", - dso_scheme => "dlfcn", - }, - "debug-linux-ppro" => { - inherit_from => [ "x86_elf_asm" ], - cc => "gcc", - cflags => combine("-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentiumpro -Wall", - threads("-D_REENTRANT")), - ex_libs => add(" ","-ldl"), - bn_ops => "BN_LLONG", - thread_scheme => "pthreads", - dso_scheme => "dlfcn", - }, - "debug-linux-ia32-aes" => { - cc => "gcc", - cflags => combine("-DL_ENDIAN -O3 -fomit-frame-pointer -Wall", - threads("-D_REENTRANT")), - ex_libs => add(" ","-ldl"), - bn_ops => "BN_LLONG", - cpuid_asm_src => "x86cpuid.s", - bn_asm_src => "bn-586.s co-586.s x86-mont.s", - des_asm_src => "des-586.s crypt586.s", - aes_asm_src => "aes_x86core.s aes_cbc.s aesni-x86.s", - bf_asm_src => "bf-586.s", - md5_asm_src => "md5-586.s", - sha1_asm_src => "sha1-586.s sha256-586.s sha512-586.s", - cast_asm_src => "cast-586.s", - rc4_asm_src => "rc4-586.s", - rmd160_asm_src => "rmd-586.s", - rc5_asm_src => "rc5-586.s", - wp_asm_src => "wp_block.s wp-mmx.s", - modes_asm_src => "ghash-x86.s", - padlock_asm_src => "e_padlock-x86.s", - thread_scheme => "pthreads", - perlasm_scheme => "elf", - dso_scheme => "dlfcn", - shared_target => "linux-shared", - shared_cflag => "-fPIC", - shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", - }, - "dist" => { - cc => "cc", - cflags => "-O", - thread_scheme => "(unknown)", - }, - "debug-test-64-clang" => { - inherit_from => [ "x86_64_asm" ], - cc => "clang", - cflags => combine("$gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe", - threads("${BSDthreads}")), - bn_ops => "SIXTY_FOUR_BIT_LONG", - thread_scheme => "pthreads", - perlasm_scheme => "elf", - dso_scheme => "dlfcn", - shared_target => "bsd-gcc-shared", - shared_cflag => "-fPIC", - shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", - }, - "darwin64-debug-test-64-clang" => { - inherit_from => [ "x86_64_asm" ], - cc => "clang", - cflags => combine("-arch x86_64 -DL_ENDIAN $gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe", - threads("${BSDthreads}")), - sys_id => "MACOSX", - bn_ops => "SIXTY_FOUR_BIT_LONG", - thread_scheme => "pthreads", - perlasm_scheme => "macosx", - dso_scheme => "dlfcn", - shared_target => "darwin-shared", - shared_cflag => "-fPIC -fno-common", - shared_ldflag => "-arch x86_64 -dynamiclib", - shared_extension => ".\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", - }, -); diff --git a/deps/openssl/openssl/Configurations/INTERNALS.Configure b/deps/openssl/openssl/Configurations/INTERNALS.Configure index 6d148196ff..b28305deca 100644 --- a/deps/openssl/openssl/Configurations/INTERNALS.Configure +++ b/deps/openssl/openssl/Configurations/INTERNALS.Configure @@ -133,3 +133,4 @@ Example 4: | ENDIF | 1 | | | ... whatever ... | | this line is processed | | ENDIF | | | + diff --git a/deps/openssl/openssl/Configurations/README b/deps/openssl/openssl/Configurations/README index e85673c591..6e13645491 100644 --- a/deps/openssl/openssl/Configurations/README +++ b/deps/openssl/openssl/Configurations/README @@ -81,7 +81,7 @@ In each table entry, the following keys are significant: '<unistd.h>'. This is very rarely needed. shared_extension => File name extension used for shared - libraries. + libraries. obj_extension => File name extension used for object files. On unix, this defaults to ".o" (NOTE: this is here for future use, it's not @@ -471,11 +471,11 @@ clash with those generated by Configure, it's possible to tell it not to generate them with the use of OVERRIDES, for example: SOURCE[libfoo]=foo.c bar.c - + OVERRIDES=bar.o BEGINRAW[Makefile(unix)] bar.o: bar.c - $(CC) $(CFLAGS) -DSPECIAL -c -o $@ $< + $(CC) $(CFLAGS) -DSPECIAL -c -o $@ $< ENDRAW[Makefile(unix)] See the documentation further up for more information on configuration diff --git a/deps/openssl/openssl/Configurations/README.design b/deps/openssl/openssl/Configurations/README.design index 7179ec027f..bea9790afb 100644 --- a/deps/openssl/openssl/Configurations/README.design +++ b/deps/openssl/openssl/Configurations/README.design @@ -90,7 +90,7 @@ depends on the library 'libssl' to function properly. LIBS=../libcrypto SOURCE[../libcrypto]=aes.c evp.c cversion.c DEPEND[cversion.o]=buildinf.h - + GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)" DEPEND[buildinf.h]=../Makefile DEPEND[../util/mkbuildinf.pl]=../util/Foo.pm @@ -105,7 +105,7 @@ show that duplicate information isn't an issue. This build.info file informs us that 'libcrypto' is built from a few source files, 'crypto/aes.c', 'crypto/evp.c' and 'crypto/cversion.c'. It also shows us that building the object file inferred from -'crypto/cversion.c' depends on 'crypto/buildinf.h'. Finally, it +'crypto/cversion.c' depends on 'crypto/buildinf.h'. Finally, it also shows the possibility to declare how some files are generated using some script, in this case a perl script, and how such scripts can be declared to depend on other files, in this case a perl module. @@ -157,7 +157,7 @@ information comes down to this: SOURCE[libssl]=ssl/tls.c INCLUDE[libssl]=include DEPEND[libssl]=libcrypto - + PROGRAMS=apps/openssl SOURCE[apps/openssl]=apps/openssl.c INCLUDE[apps/openssl]=. include @@ -172,7 +172,7 @@ information comes down to this: SOURCE[engines/ossltest]=engines/e_ossltest.c DEPEND[engines/ossltest]=libcrypto INCLUDE[engines/ossltest]=include - + GENERATE[crypto/buildinf.h]=util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)" DEPEND[crypto/buildinf.h]=Makefile DEPEND[util/mkbuildinf.pl]=util/Foo.pm diff --git a/deps/openssl/openssl/Configurations/dist.conf b/deps/openssl/openssl/Configurations/dist.conf new file mode 100644 index 0000000000..4f58dad914 --- /dev/null +++ b/deps/openssl/openssl/Configurations/dist.conf @@ -0,0 +1,12 @@ +## -*- mode: perl; -*- +## Build configuration targets for openssl-team members + +# This is to support 'make dist' +%targets = ( + "dist" => { + inherit_from => [ 'BASE_unix' ], + cc => "cc", + cflags => "-O", + thread_scheme => "(unknown)", + }, +); diff --git a/deps/openssl/openssl/Configurations/unix-Makefile.tmpl b/deps/openssl/openssl/Configurations/unix-Makefile.tmpl index 40cf2c3df4..034d93e653 100644 --- a/deps/openssl/openssl/Configurations/unix-Makefile.tmpl +++ b/deps/openssl/openssl/Configurations/unix-Makefile.tmpl @@ -664,8 +664,10 @@ tar: DISTDIR=$(NAME); \ mkdir -p $$TMPDIR/$$DISTDIR; \ (cd $(SRCDIR); \ + excl_re="^(fuzz/corpora|Configurations/.*\.norelease\.conf)"; \ + echo "$$excl_re"; \ git ls-tree -r --name-only --full-tree HEAD \ - | grep -v '^fuzz/corpora' \ + | egrep -v "$$excl_re" \ | while read F; do \ mkdir -p $$TMPDIR/$$DISTDIR/`dirname $$F`; \ cp $$F $$TMPDIR/$$DISTDIR/$$F; \ @@ -848,7 +850,7 @@ EOF $recipe .= <<"EOF"; $obj$objext: $deps ( trap "rm -f \$@.*" INT 0; \\ - \$(CPP) $incs \$(CFLAGS) $ecflags $srcs | \\ + \$(CC) $incs \$(CFLAGS) $ecflags -E $srcs | \\ \$(PERL) -ne '/^#(line)?\\s*[0-9]+/ or print' > \$@.s && \\ \$(CC) \$(CFLAGS) $ecflags -c -o \$\@ \$@.s ) EOF diff --git a/deps/openssl/openssl/Configurations/windows-checker.pm b/deps/openssl/openssl/Configurations/windows-checker.pm index de46fbc1df..4b7105df33 100644 --- a/deps/openssl/openssl/Configurations/windows-checker.pm +++ b/deps/openssl/openssl/Configurations/windows-checker.pm @@ -6,7 +6,7 @@ use Config; # we expect for the platform use File::Spec::Functions qw(:DEFAULT rel2abs); -if (rel2abs('.') !~ m|\\|) { +if (!$ENV{CONFIGURE_INSIST} && rel2abs('.') !~ m|\\|) { die <<EOF; ****************************************************************************** diff --git a/deps/openssl/openssl/Configurations/windows-makefile.tmpl b/deps/openssl/openssl/Configurations/windows-makefile.tmpl index e3e213f610..40dc41d0b4 100644 --- a/deps/openssl/openssl/Configurations/windows-makefile.tmpl +++ b/deps/openssl/openssl/Configurations/windows-makefile.tmpl @@ -88,20 +88,20 @@ GENERATED={- join(" ", grep { /\.o$/ } keys %{$unified_info{sources}} ), ( grep { /\.h$/ } keys %{$unified_info{generate}} )) -} -INSTALL_LIBS={- join(" ", map { $_.$libext } @{$unified_info{install}->{libraries}}) -} -INSTALL_SHLIBS={- join(" ", map { shlib($_) } @{$unified_info{install}->{libraries}}) -} -INSTALL_SHLIBPDBS={- join(" ", map { local $shlibext = ".pdb"; shlib($_) } @{$unified_info{install}->{libraries}}) -} -INSTALL_ENGINES={- join(" ", map { dso($_) } @{$unified_info{install}->{engines}}) -} -INSTALL_ENGINEPDBS={- join(" ", map { local $dsoext = ".pdb"; dso($_) } @{$unified_info{install}->{engines}}) -} -INSTALL_PROGRAMS={- join(" ", map { $_.$exeext } grep { !m|^test\\| } @{$unified_info{install}->{programs}}) -} -INSTALL_PROGRAMPDBS={- join(" ", map { $_.".pdb" } grep { !m|^test\\| } @{$unified_info{install}->{programs}}) -} +INSTALL_LIBS={- join(" ", map { quotify1($_.$libext) } @{$unified_info{install}->{libraries}}) -} +INSTALL_SHLIBS={- join(" ", map { quotify_l(shlib($_)) } @{$unified_info{install}->{libraries}}) -} +INSTALL_SHLIBPDBS={- join(" ", map { local $shlibext = ".pdb"; quotify_l(shlib($_)) } @{$unified_info{install}->{libraries}}) -} +INSTALL_ENGINES={- join(" ", map { quotify1(dso($_)) } @{$unified_info{install}->{engines}}) -} +INSTALL_ENGINEPDBS={- join(" ", map { local $dsoext = ".pdb"; quotify1(dso($_)) } @{$unified_info{install}->{engines}}) -} +INSTALL_PROGRAMS={- join(" ", map { quotify1($_.$exeext) } grep { !m|^test\\| } @{$unified_info{install}->{programs}}) -} +INSTALL_PROGRAMPDBS={- join(" ", map { quotify1($_.".pdb") } grep { !m|^test\\| } @{$unified_info{install}->{programs}}) -} {- output_off() if $disabled{apps}; "" -} -BIN_SCRIPTS=$(BLDDIR)\tools\c_rehash.pl -MISC_SCRIPTS=$(BLDDIR)\apps\CA.pl $(BLDDIR)\apps\tsget.pl +BIN_SCRIPTS="$(BLDDIR)\tools\c_rehash.pl" +MISC_SCRIPTS="$(BLDDIR)\apps\CA.pl" "$(BLDDIR)\apps\tsget.pl" {- output_on() if $disabled{apps}; "" -} APPS_OPENSSL={- use File::Spec::Functions; - catfile("apps","openssl") -} + "\"".catfile("apps","openssl")."\"" -} # Do not edit these manually. Use Configure with --prefix or --openssldir # to change this! Short explanation in the top comment in Configure @@ -182,6 +182,9 @@ MTOUTFLAG={- $target{mtoutflag} || "-outputresource:" -}$(OSSL_EMPTY) AS={- $target{as} -} ASFLAGS={- $target{asflags} -} ASOUTFLAG={- $target{asoutflag} -}$(OSSL_EMPTY) + +ECHO="$(PERL)" "$(SRCDIR)\util\echo.pl" + PERLASM_SCHEME= {- $target{perlasm_scheme} -} PROCESSOR= {- $config{processor} -} @@ -207,7 +210,7 @@ build_all_generated: $(GENERATED_MANDATORY) $(GENERATED) test: tests {- dependmagic('tests'); -}: build_programs_nodep build_engines_nodep - @rem {- output_off() if $disabled{tests}; "" -} + @{- output_off() if $disabled{tests}; "" -} -mkdir $(BLDDIR)\test\test-runs set SRCTOP=$(SRCDIR) set BLDTOP=$(BLDDIR) @@ -216,17 +219,17 @@ test: tests set OPENSSL_ENGINES=$(MAKEDIR)\engines set OPENSSL_DEBUG_MEMORY=on "$(PERL)" "$(SRCDIR)\test\run_tests.pl" $(TESTS) - @rem {- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -} - @echo "Tests are not supported with your chosen Configure options" - @rem {- output_on() if !$disabled{tests}; "" -} + @{- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -} + @$(ECHO) "Tests are not supported with your chosen Configure options" + @{- output_on() if !$disabled{tests}; "" -} list-tests: - @rem {- output_off() if $disabled{tests}; "" -} + @{- output_off() if $disabled{tests}; "" -} @set SRCTOP=$(SRCDIR) @"$(PERL)" "$(SRCDIR)\test\run_tests.pl" list - @rem {- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -} - @echo "Tests are not supported with your chosen Configure options" - @rem {- output_on() if !$disabled{tests}; "" -} + @{- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -} + @$(ECHO) "Tests are not supported with your chosen Configure options" + @{- output_on() if !$disabled{tests}; "" -} install: install_sw install_ssldirs install_docs @@ -285,16 +288,17 @@ install_ssldirs: "$(OPENSSLDIR)\misc" install_dev: - @if "$(INSTALLTOP)"=="" ( echo INSTALLTOP should not be empty & exit 1 ) - @echo *** Installing development files + @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) + @$(ECHO) "*** Installing development files" @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\include\openssl" - @rem {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } @{$target{defines}}; "" -} + @{- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } @{$target{defines}}; "" -} @"$(PERL)" "$(SRCDIR)\util\copy.pl" "$(SRCDIR)\ms\applink.c" \ "$(INSTALLTOP)\include\openssl" - @rem {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } @{$target{defines}}; "" -} - @"$(PERL)" "$(SRCDIR)\util\copy.pl" "$(SRCDIR)\include\openssl\*.h" \ + @{- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } @{$target{defines}}; "" -} + @"$(PERL)" "$(SRCDIR)\util\copy.pl" "-exclude_re=/__DECC_" \ + "$(SRCDIR)\include\openssl\*.h" \ "$(INSTALLTOP)\include\openssl" - @"$(PERL)" "$(SRCDIR)\util\copy.pl" $(BLDDIR)\include\openssl\*.h \ + @"$(PERL)" "$(SRCDIR)\util\copy.pl" "$(BLDDIR)\include\openssl\*.h" \ "$(INSTALLTOP)\include\openssl" @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\$(LIBDIR)" @"$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_LIBS) \ @@ -306,8 +310,8 @@ install_dev: uninstall_dev: install_engines: - @if "$(INSTALLTOP)"=="" ( echo INSTALLTOP should not be empty & exit 1 ) - @echo *** Installing engines + @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) + @$(ECHO) "*** Installing engines" @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(ENGINESDIR)" @if not "$(ENGINES)"=="" \ "$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_ENGINES) "$(ENGINESDIR)" @@ -317,8 +321,8 @@ install_engines: uninstall_engines: install_runtime: - @if "$(INSTALLTOP)"=="" ( echo INSTALLTOP should not be empty & exit 1 ) - @echo *** Installing runtime files + @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) + @$(ECHO) "*** Installing runtime files" @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\bin" @if not "$(SHLIBS)"=="" \ "$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_SHLIBS) "$(INSTALLTOP)\bin" @@ -343,14 +347,14 @@ uninstall_html_docs: # Building targets ################################################### configdata.pm: "$(SRCDIR)\Configure" {- join(" ", map { '"'.$_.'"' } @{$config{build_file_templates}}, @{$config{build_infos}}, @{$config{conf_files}}) -} - @echo "Detected changed: $?" - @echo "Reconfiguring..." + @$(ECHO) "Detected changed: $?" + @$(ECHO) "Reconfiguring..." "$(PERL)" "$(SRCDIR)\Configure" reconf - @echo "**************************************************" - @echo "*** ***" - @echo "*** Please run the same make command again ***" - @echo "*** ***" - @echo "**************************************************" + @$(ECHO) "**************************************************" + @$(ECHO) "*** ***" + @$(ECHO) "*** Please run the same make command again ***" + @$(ECHO) "*** ***" + @$(ECHO) "**************************************************" @exit 1 {- @@ -604,8 +608,6 @@ EOF foreach my $prod (@{$unified_info{dirinfo}->{$dir}->{products}->{$type}}) { if (dirname($prod) eq $dir) { push @deps, $prod.$extinfo{$type}; - } else { - push @actions, "\t@rem No support to produce $type ".join(", ", @{$unified_info{dirinfo}->{$dir}->{products}->{$type}}); } } } diff --git a/deps/openssl/openssl/Configure b/deps/openssl/openssl/Configure index c0033643c6..d85ff6aa4d 100755 --- a/deps/openssl/openssl/Configure +++ b/deps/openssl/openssl/Configure @@ -20,6 +20,9 @@ use OpenSSL::Glob; # see INSTALL for instructions. +my $orig_death_handler = $SIG{__DIE__}; +$SIG{__DIE__} = \&death_handler; + my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; # Options: @@ -756,21 +759,21 @@ while (@argvcopy) else { $config{options} .= " ".$_; } } + } - if (defined($config{api}) && !exists $apitable->{$config{api}}) { - die "***** Unsupported api compatibility level: $config{api}\n", - } +if (defined($config{api}) && !exists $apitable->{$config{api}}) { + die "***** Unsupported api compatibility level: $config{api}\n", +} - if (keys %deprecated_options) - { - warn "***** Deprecated options: ", - join(", ", keys %deprecated_options), "\n"; - } - if (keys %unsupported_options) - { - die "***** Unsupported options: ", - join(", ", keys %unsupported_options), "\n"; - } +if (keys %deprecated_options) + { + warn "***** Deprecated options: ", + join(", ", keys %deprecated_options), "\n"; + } +if (keys %unsupported_options) + { + die "***** Unsupported options: ", + join(", ", keys %unsupported_options), "\n"; } if ($libs =~ /(^|\s)-Wl,-rpath,/ @@ -908,11 +911,12 @@ if ($d) { $target = $t; } } + +&usage if !$table{$target} || $table{$target}->{template}; + $config{target} = $target; my %target = resolve_config($target); -&usage if (!%target || $target{template}); - my %conf_files = map { $_ => 1 } (@{$target{_conf_fname_int}}); $config{conf_files} = [ sort keys %conf_files ]; %target = ( %{$table{DEFAULTS}}, %target ); @@ -1215,8 +1219,10 @@ if ($^O ne "VMS") { if (!$disabled{makedepend}) { # We know that GNU C version 3 and up as well as all clang - # versions support dependency generation - if ($predefined{__GNUC__} >= 3) { + # versions support dependency generation, but Xcode did not + # handle $cc -M before clang support (but claims __GNUC__ = 3) + if (($predefined{__GNUC__} // -1) >= 3 + && !($predefined{__APPLE_CC__} && !$predefined{__clang__})) { $config{makedepprog} = $cc; } else { $config{makedepprog} = which('makedepend'); @@ -2125,6 +2131,8 @@ my %builders = ( $builders{$builder}->($builder_platform, @builder_opts); +$SIG{__DIE__} = $orig_death_handler; + print <<"EOF"; Configured for $target. @@ -2153,6 +2161,24 @@ exit(0); # Helpers and utility functions # +# Death handler, to print a helpful message in case of failure ####### +# +sub death_handler { + die @_ if $^S; # To prevent the added message in eval blocks + my $build_file = $target{build_file} // "build file"; + my @message = ( <<"_____", @_ ); + +Failure! $build_file wasn't produced. +Please read INSTALL and associated NOTES files. You may also have to look over +your available compiler tool chain or change your configuration. + +_____ + + # Dying is terminal, so it's ok to reset the signal handler here. + $SIG{__DIE__} = $orig_death_handler; + die @message; +} + # Configuration file reading ######################################### # Note: All of the helper functions are for lazy evaluation. They all diff --git a/deps/openssl/openssl/INSTALL b/deps/openssl/openssl/INSTALL index e9b33a5336..5a98d1da83 100644 --- a/deps/openssl/openssl/INSTALL +++ b/deps/openssl/openssl/INSTALL @@ -3,7 +3,8 @@ -------------------- This document describes installation on all supported operating - systems (the Linux/Unix family, OpenVMS and Windows) + systems (the Unix/Linux family (which includes Mac OS/X), OpenVMS, + and Windows). To install OpenSSL, you will need: @@ -76,7 +77,7 @@ If you want to just get on with it, do: - on Unix: + on Unix (again, this includes Mac OS/X): $ ./config $ make @@ -208,7 +209,7 @@ without a path). This flag must be provided if the zlib-dynamic option is not also used. If zlib-dynamic is used then this flag is optional and a default value ("ZLIB1") is - used if not provided. + used if not provided. On VMS: this is the filename of the zlib library (with or without a path). This flag is optional and if not provided then "GNV$LIBZSHR", "GNV$LIBZSHR32" or "GNV$LIBZSHR64" is @@ -663,7 +664,7 @@ $ nmake TESTS='test_rsa test_dsa' test # Windows And of course, you can combine (Unix example shown): - + $ make VERBOSE=1 TESTS='test_rsa test_dsa' test You can find the list of available tests like this: @@ -733,7 +734,7 @@ command symbols. [.SYSTEST] Contains the installation verification procedure. [.HTML] Contains the HTML rendition of the manual pages. - + Additionally, install will add the following directories under OPENSSLDIR (the directory given with --openssldir or its default) diff --git a/deps/openssl/openssl/NEWS b/deps/openssl/openssl/NEWS index 8744fe68ec..b6cf1f21ac 100644 --- a/deps/openssl/openssl/NEWS +++ b/deps/openssl/openssl/NEWS @@ -5,6 +5,11 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.1.0h and OpenSSL 1.1.0i [14 Aug 2018] + + o Client DoS due to large DH parameter (CVE-2018-0732) + o Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) + Major changes between OpenSSL 1.1.0g and OpenSSL 1.1.0h [27 Mar 2018] o Constructed ASN.1 types with a recursive definition could exceed the diff --git a/deps/openssl/openssl/NOTES.DJGPP b/deps/openssl/openssl/NOTES.DJGPP index d43d4e86de..bbe63dc154 100644 --- a/deps/openssl/openssl/NOTES.DJGPP +++ b/deps/openssl/openssl/NOTES.DJGPP @@ -1,5 +1,5 @@ - + INSTALLATION ON THE DOS PLATFORM WITH DJGPP ------------------------------------------- @@ -29,7 +29,7 @@ running "./Configure" with appropriate arguments: ./Configure no-threads --prefix=/dev/env/DJDIR DJGPP - + And finally fire up "make". You may run out of DPMI selectors when running in a DOS box under Windows. If so, just close the BASH shell, go back to Windows, and restart BASH. Then run "make" again. diff --git a/deps/openssl/openssl/NOTES.VMS b/deps/openssl/openssl/NOTES.VMS index 7d74f0dbdd..3e9a57e805 100644 --- a/deps/openssl/openssl/NOTES.VMS +++ b/deps/openssl/openssl/NOTES.VMS @@ -42,7 +42,7 @@ for now is to rename the OpenSSL source directory, as follows (please adjust for the actual source directory name you have): - $ rename openssl-1^.1^.0.DIR openssl-1_1_0.DIR + $ rename openssl-1^.1^.0.DIR openssl-1_1_0.DIR About MMS and DCL diff --git a/deps/openssl/openssl/README b/deps/openssl/openssl/README index 3491280ead..76888cbb09 100644 --- a/deps/openssl/openssl/README +++ b/deps/openssl/openssl/README @@ -1,7 +1,7 @@ - OpenSSL 1.1.0h 27 Mar 2018 + OpenSSL 1.1.0i 14 Aug 2018 - Copyright (c) 1998-2016 The OpenSSL Project + Copyright (c) 1998-2018 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. diff --git a/deps/openssl/openssl/README.ECC b/deps/openssl/openssl/README.ECC index 86f5b23070..fa3cad7aa7 100644 --- a/deps/openssl/openssl/README.ECC +++ b/deps/openssl/openssl/README.ECC @@ -5,56 +5,57 @@ Center (NCSC) dated 2010-11-04. That agreement permits implementation and distribution of software containing features covered by any or all of the following patents: -1.) U.S. Pat. No. 5,761,305 entitled "Key Agreement and Transport Protocol +1.) U.S. Pat. No. 5,761,305 entitled "Key Agreement and Transport Protocol with Implicit Signatures" issued on June 2, 1998; -2.) Can. Pat. Appl. Ser. No. 2176972 entitled "Key Agreement and Transport - Protocol with Implicit Signature and Reduced Bandwidth" filed on May +2.) Can. Pat. Appl. Ser. No. 2176972 entitled "Key Agreement and Transport + Protocol with Implicit Signature and Reduced Bandwidth" filed on May 16, 1996; -3.) U.S. Pat. No. 5,889,865 entitled "Key Agreement and Transport Protocol +3.) U.S. Pat. No. 5,889,865 entitled "Key Agreement and Transport Protocol with Implicit Signatures" issued on March 30, 1999; -4.) U.S. Pat. No. 5,896,455 entitled "Key Agreement and Transport Protocol +4.) U.S. Pat. No. 5,896,455 entitled "Key Agreement and Transport Protocol with Implicit Signatures" issued on April 20, 1999; -5.) U.S. Pat. No. 5,933,504 entitled "Strengthened Public Key Protocol" +5.) U.S. Pat. No. 5,933,504 entitled "Strengthened Public Key Protocol" issued on August 3, 1999; -6.) Can. Pat. Appl. Ser. No. 2176866 entitled "Strengthened Public Key +6.) Can. Pat. Appl. Ser. No. 2176866 entitled "Strengthened Public Key Protocol" filed on May 17, 1996; -7.) E.P. Pat. Appl. Ser. No. 96201322.3 entitled "Strengthened Public Key +7.) E.P. Pat. Appl. Ser. No. 96201322.3 entitled "Strengthened Public Key Protocol" filed on May 17, 1996; -8.) U.S. Pat. No. 5,999,626 entitled "Digital Signatures on a Smartcard" +8.) U.S. Pat. No. 5,999,626 entitled "Digital Signatures on a Smartcard" issued on December 7, 1999; -9.) Can. Pat. Appl. Ser. No. 2202566 entitled "Digital Signatures on a +9.) Can. Pat. Appl. Ser. No. 2202566 entitled "Digital Signatures on a Smartcard" filed on April 14, 1997; -10.) E.P. Pat. Appl. No. 97106114.8 entitled "Digital Signatures on a +10.) E.P. Pat. Appl. No. 97106114.8 entitled "Digital Signatures on a Smartcard" filed on April 15, 1997; -11.) U.S Pat. No. 6,122,736 entitled "Key Agreement and Transport Protocol +11.) U.S Pat. No. 6,122,736 entitled "Key Agreement and Transport Protocol with Implicit Signatures" issued on September 19, 2000; -12.) Can. Pat. Appl. Ser. No. 2174261 entitled "Key Agreement and Transport +12.) Can. Pat. Appl. Ser. No. 2174261 entitled "Key Agreement and Transport Protocol with Implicit Signatures" filed on April 16, 1996; -13.) E.P. Pat. Appl. Ser. No. 96105920.1 entitled "Key Agreement and +13.) E.P. Pat. Appl. Ser. No. 96105920.1 entitled "Key Agreement and Transport Protocol with Implicit Signatures" filed on April 16, 1996; -14.) U.S. Pat. No. 6,141,420 entitled "Elliptic Curve Encryption Systems" +14.) U.S. Pat. No. 6,141,420 entitled "Elliptic Curve Encryption Systems" issued on October 31, 2000; -15.) Can. Pat. Appl. Ser. No. 2155038 entitled "Elliptic Curve Encryption +15.) Can. Pat. Appl. Ser. No. 2155038 entitled "Elliptic Curve Encryption Systems" filed on July 31, 1995; -16.) E.P. Pat. Appl. Ser. No. 95926348.4 entitled "Elliptic Curve Encryption +16.) E.P. Pat. Appl. Ser. No. 95926348.4 entitled "Elliptic Curve Encryption Systems" filed on July 31, 1995; -17.) U.S. Pat. No. 6,336,188 entitled "Authenticated Key Agreement" issued +17.) U.S. Pat. No. 6,336,188 entitled "Authenticated Key Agreement" issued on January 1, 2002; -18.) U.S. Pat. No. 6,487,661 entitled "Key Agreement and Transport Protocol" +18.) U.S. Pat. No. 6,487,661 entitled "Key Agreement and Transport Protocol" issued on November 26, 2002; -19.) Can. Pat. Appl. Ser. No. 2174260 entitled "Key Agreement and Transport +19.) Can. Pat. Appl. Ser. No. 2174260 entitled "Key Agreement and Transport Protocol" filed on April 16, 1996; -20.) E.P. Pat. Appl. Ser. No. 96105921.9 entitled "Key Agreement and +20.) E.P. Pat. Appl. Ser. No. 96105921.9 entitled "Key Agreement and Transport Protocol" filed on April 21, 1996; -21.) U.S. Pat. No. 6,563,928 entitled "Strengthened Public Key Protocol" +21.) U.S. Pat. No. 6,563,928 entitled "Strengthened Public Key Protocol" issued on May 13, 2003; -22.) U.S. Pat. No. 6,618,483 entitled "Elliptic Curve Encryption Systems" +22.) U.S. Pat. No. 6,618,483 entitled "Elliptic Curve Encryption Systems" issued September 9, 2003; -23.) U.S. Pat. Appl. Ser. No. 09/434,247 entitled "Digital Signatures on a +23.) U.S. Pat. Appl. Ser. No. 09/434,247 entitled "Digital Signatures on a Smartcard" filed on November 5, 1999; -24.) U.S. Pat. Appl. Ser. No. 09/558,256 entitled "Key Agreement and +24.) U.S. Pat. Appl. Ser. No. 09/558,256 entitled "Key Agreement and Transport Protocol with Implicit Signatures" filed on April 25, 2000; -25.) U.S. Pat. Appl. Ser. No. 09/942,492 entitled "Digital Signatures on a +25.) U.S. Pat. Appl. Ser. No. 09/942,492 entitled "Digital Signatures on a Smartcard" filed on August 29, 2001 and published on July 18, 2002; and, -26.) U.S. Pat. Appl. Ser. No. 10/185,735 entitled "Strengthened Public Key +26.) U.S. Pat. Appl. Ser. No. 10/185,735 entitled "Strengthened Public Key Protocol" filed on July 1, 2000. + diff --git a/deps/openssl/openssl/VMS/openssl_ivp.com.in b/deps/openssl/openssl/VMS/openssl_ivp.com.in index e888b52879..825a699c4f 100644 --- a/deps/openssl/openssl/VMS/openssl_ivp.com.in +++ b/deps/openssl/openssl/VMS/openssl_ivp.com.in @@ -16,7 +16,7 @@ $ OPENSSLDIR_ = F$PARSE("A.;",OPENSSLDIR,,,"NO_CONCEAL") - $ $ v := {- sprintf "%02d%02d", split(/\./, $config{version}) -} $ pz := {- $config{pointer_size} -} -$ +$ $ @'INSTALLTOP_'SYS$STARTUP]openssl_startup'v' $ @'INSTALLTOP_'SYS$STARTUP]openssl_utils'v' $ diff --git a/deps/openssl/openssl/apps/apps.c b/deps/openssl/openssl/apps/apps.c index 8703d0cc31..d52201f1f3 100644 --- a/deps/openssl/openssl/apps/apps.c +++ b/deps/openssl/openssl/apps/apps.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1012,7 +1012,8 @@ int set_name_ex(unsigned long *flags, const char *arg) }; if (set_multi_opts(flags, arg, ex_tbl) == 0) return 0; - if ((*flags & XN_FLAG_SEP_MASK) == 0) + if (*flags != XN_FLAG_COMPAT + && (*flags & XN_FLAG_SEP_MASK) == 0) *flags |= XN_FLAG_SEP_CPLUS_SPC; return 1; } diff --git a/deps/openssl/openssl/apps/asn1pars.c b/deps/openssl/openssl/apps/asn1pars.c index 1ac261c762..008a6797d0 100644 --- a/deps/openssl/openssl/apps/asn1pars.c +++ b/deps/openssl/openssl/apps/asn1pars.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -41,7 +41,7 @@ OPTIONS asn1parse_options[] = { {"dump", OPT_DUMP, 0, "unknown data in hex form"}, {"dlimit", OPT_DLIMIT, 'p', "dump the first arg bytes of unknown data in hex form"}, - {"strparse", OPT_STRPARSE, 's', + {"strparse", OPT_STRPARSE, 'p', "offset; a series of these can be used to 'dig'"}, {OPT_MORE_STR, 0, 0, "into multiple ASN1 blob wrappings"}, {"genstr", OPT_GENSTR, 's', "string to generate ASN1 structure from"}, @@ -113,13 +113,13 @@ int asn1parse_main(int argc, char **argv) offset = strtol(opt_arg(), NULL, 0); break; case OPT_LENGTH: - length = atoi(opt_arg()); + length = strtol(opt_arg(), NULL, 0); break; case OPT_DUMP: dump = -1; break; case OPT_DLIMIT: - dump = atoi(opt_arg()); + dump = strtol(opt_arg(), NULL, 0); break; case OPT_STRPARSE: sk_OPENSSL_STRING_push(osk, opt_arg()); @@ -191,7 +191,7 @@ int asn1parse_main(int argc, char **argv) num = 0; for (;;) { - if (!BUF_MEM_grow(buf, (int)num + BUFSIZ)) + if (!BUF_MEM_grow(buf, num + BUFSIZ)) goto end; i = BIO_read(in, &(buf->data[num]), BUFSIZ); if (i <= 0) @@ -211,9 +211,9 @@ int asn1parse_main(int argc, char **argv) for (i = 0; i < sk_OPENSSL_STRING_num(osk); i++) { ASN1_TYPE *atmp; int typ; - j = atoi(sk_OPENSSL_STRING_value(osk, i)); - if (j == 0) { - BIO_printf(bio_err, "'%s' is an invalid number\n", + j = strtol(sk_OPENSSL_STRING_value(osk, i), NULL, 0); + if (j <= 0 || j >= tmplen) { + BIO_printf(bio_err, "'%s' is out of range\n", sk_OPENSSL_STRING_value(osk, i)); continue; } @@ -244,14 +244,14 @@ int asn1parse_main(int argc, char **argv) num = tmplen; } - if (offset >= num) { - BIO_printf(bio_err, "Error: offset too large\n"); + if (offset < 0 || offset >= num) { + BIO_printf(bio_err, "Error: offset out of range\n"); goto end; } num -= offset; - if ((length == 0) || ((long)length > num)) + if (length == 0 || length > (unsigned int)num) length = (unsigned int)num; if (derout) { if (BIO_write(derout, str + offset, length) != (int)length) { diff --git a/deps/openssl/openssl/apps/ca.c b/deps/openssl/openssl/apps/ca.c index d474a2b69a..c69a2b5cdd 100644 --- a/deps/openssl/openssl/apps/ca.c +++ b/deps/openssl/openssl/apps/ca.c @@ -725,10 +725,10 @@ end_of_options: /*****************************************************************/ if (req || gencrl) { - /* FIXME: Is it really always text? */ - Sout = bio_open_default(outfile, 'w', FORMAT_TEXT); - if (Sout == NULL) - goto end; + if (spkac_file != NULL) { + output_der = 1; + batch = 1; + } } if (md == NULL @@ -872,10 +872,6 @@ end_of_options: BIO_printf(bio_err, "Memory allocation failure\n"); goto end; } - if (outfile) { - output_der = 1; - batch = 1; - } } } if (ss_cert_file != NULL) { @@ -929,10 +925,13 @@ end_of_options: if (j > 0) { total_done++; BIO_printf(bio_err, "\n"); - if (!BN_add_word(serial, 1)) + if (!BN_add_word(serial, 1)) { + X509_free(x); goto end; + } if (!sk_X509_push(cert_sk, x)) { BIO_printf(bio_err, "Memory allocation failure\n"); + X509_free(x); goto end; } } @@ -1017,6 +1016,11 @@ end_of_options: if (verbose) BIO_printf(bio_err, "writing %s\n", buf[2]); + Sout = bio_open_default(outfile, 'w', + output_der ? FORMAT_ASN1 : FORMAT_TEXT); + if (Sout == NULL) + goto end; + Cout = BIO_new_file(buf[2], "w"); if (Cout == NULL) { perror(buf[2]); @@ -1025,6 +1029,8 @@ end_of_options: write_new_certificate(Cout, xi, 0, notext); write_new_certificate(Sout, xi, output_der, notext); BIO_free_all(Cout); + BIO_free_all(Sout); + Sout = NULL; } if (sk_X509_num(cert_sk)) { @@ -1173,6 +1179,11 @@ end_of_options: if (!do_X509_CRL_sign(crl, pkey, dgst, sigopts)) goto end; + Sout = bio_open_default(outfile, 'w', + output_der ? FORMAT_ASN1 : FORMAT_TEXT); + if (Sout == NULL) + goto end; + PEM_write_bio_X509_CRL(Sout, crl); if (crlnumberfile != NULL) /* Rename the crlnumber file */ diff --git a/deps/openssl/openssl/apps/cms.c b/deps/openssl/openssl/apps/cms.c index b999c70c95..640f92eb1b 100644 --- a/deps/openssl/openssl/apps/cms.c +++ b/deps/openssl/openssl/apps/cms.c @@ -146,7 +146,7 @@ OPTIONS cms_options[] = { "Do not load certificates from the default certificates directory"}, {"content", OPT_CONTENT, '<', "Supply or override content for detached signature"}, - {"print", OPT_PRINT, '-', + {"print", OPT_PRINT, '-', "For the -cmsout operation print out all fields of the CMS structure"}, {"secretkey", OPT_SECRETKEY, 's'}, {"secretkeyid", OPT_SECRETKEYID, 's'}, diff --git a/deps/openssl/openssl/apps/ct_log_list.cnf b/deps/openssl/openssl/apps/ct_log_list.cnf index a637b477af..243487453c 100644 --- a/deps/openssl/openssl/apps/ct_log_list.cnf +++ b/deps/openssl/openssl/apps/ct_log_list.cnf @@ -31,3 +31,4 @@ key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEluqsHEYMG1XcDfy1lCdGV0JwOmkY4r87xNuroP [venafi] description = Venafi log key = MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAolpIHxdSlTXLo1s6H1OCdpSj/4DyHDc8wLG9wVmLqy1lk9fz4ATVmm+/1iN2Nk8jmctUKK2MFUtlWXZBSpym97M7frGlSaQXUWyA3CqQUEuIJOmlEjKTBEiQAvpfDjCHjlV2Be4qTM6jamkJbiWtgnYPhJL6ONaGTiSPm7Byy57iaz/hbckldSOIoRhYBiMzeNoA0DiRZ9KmfSeXZ1rB8y8X5urSW+iBzf2SaOfzBvDpcoTuAaWx2DPazoOl28fP1hZ+kHUYvxbcMjttjauCFx+JII0dmuZNIwjfeG/GBb9frpSX219k1O4Wi6OEbHEr8at/XQ0y7gTikOxBn/s5wQIDAQAB + diff --git a/deps/openssl/openssl/apps/dh1024.pem b/deps/openssl/openssl/apps/dh1024.pem index 813e8a4a48..f1a5e180aa 100644 --- a/deps/openssl/openssl/apps/dh1024.pem +++ b/deps/openssl/openssl/apps/dh1024.pem @@ -4,7 +4,7 @@ Sgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL /1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJKGZR7OZTgf//////////AgEC -----END DH PARAMETERS----- -These are the 1024-bit DH parameters from "Internet Key Exchange +These are the 1024-bit DH parameters from "Internet Key Exchange Protocol Version 2 (IKEv2)": https://tools.ietf.org/html/rfc5996 See https://tools.ietf.org/html/rfc2412 for how they were generated. diff --git a/deps/openssl/openssl/apps/dh2048.pem b/deps/openssl/openssl/apps/dh2048.pem index 288a20997e..e899f2e029 100644 --- a/deps/openssl/openssl/apps/dh2048.pem +++ b/deps/openssl/openssl/apps/dh2048.pem @@ -7,8 +7,8 @@ fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq 5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg== -----END DH PARAMETERS----- -These are the 2048-bit DH parameters from "More Modular Exponential -(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)": +These are the 2048-bit DH parameters from "More Modular Exponential +(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)": https://tools.ietf.org/html/rfc3526 See https://tools.ietf.org/html/rfc2412 for how they were generated. diff --git a/deps/openssl/openssl/apps/dh4096.pem b/deps/openssl/openssl/apps/dh4096.pem index 08560e1284..adada2b558 100644 --- a/deps/openssl/openssl/apps/dh4096.pem +++ b/deps/openssl/openssl/apps/dh4096.pem @@ -12,8 +12,8 @@ ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0BjGZ//////////8CAQI= -----END DH PARAMETERS----- -These are the 4096-bit DH parameters from "More Modular Exponential -(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)": +These are the 4096-bit DH parameters from "More Modular Exponential +(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)": https://tools.ietf.org/html/rfc3526 See https://tools.ietf.org/html/rfc2412 for how they were generated. diff --git a/deps/openssl/openssl/apps/dhparam.c b/deps/openssl/openssl/apps/dhparam.c index 94322e37de..8a28414562 100644 --- a/deps/openssl/openssl/apps/dhparam.c +++ b/deps/openssl/openssl/apps/dhparam.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -151,6 +151,11 @@ int dhparam_main(int argc, char **argv) goto end; } # endif + + out = bio_open_default(outfile, 'w', outformat); + if (out == NULL) + goto end; + /* DH parameters */ if (num && !g) g = 2; @@ -266,10 +271,6 @@ int dhparam_main(int argc, char **argv) /* dh != NULL */ } - out = bio_open_default(outfile, 'w', outformat); - if (out == NULL) - goto end; - if (text) { DHparams_print(out, dh); } diff --git a/deps/openssl/openssl/apps/dsaparam.c b/deps/openssl/openssl/apps/dsaparam.c index 5c3c8f8089..20891cf3dd 100644 --- a/deps/openssl/openssl/apps/dsaparam.c +++ b/deps/openssl/openssl/apps/dsaparam.c @@ -226,25 +226,28 @@ int dsaparam_main(int argc, char **argv) data = app_malloc(len + 20, "BN space"); - BIO_printf(bio_out, "DSA *get_dsa%d()\n{\n", bits_p); - print_bignum_var(bio_out, p, "dsap", len, data); - print_bignum_var(bio_out, q, "dsaq", len, data); - print_bignum_var(bio_out, g, "dsag", len, data); + BIO_printf(bio_out, "static DSA *get_dsa%d(void)\n{\n", bits_p); + print_bignum_var(bio_out, p, "dsap", bits_p, data); + print_bignum_var(bio_out, q, "dsaq", bits_p, data); + print_bignum_var(bio_out, g, "dsag", bits_p, data); BIO_printf(bio_out, " DSA *dsa = DSA_new();\n" + " BIGNUM *p, *q, *g;\n" "\n"); BIO_printf(bio_out, " if (dsa == NULL)\n" " return NULL;\n"); - BIO_printf(bio_out, " dsa->p = BN_bin2bn(dsap_%d, sizeof(dsap_%d), NULL);\n", - bits_p, bits_p); - BIO_printf(bio_out, " dsa->q = BN_bin2bn(dsaq_%d, sizeof(dsaq_%d), NULL);\n", - bits_p, bits_p); - BIO_printf(bio_out, " dsa->g = BN_bin2bn(dsag_%d, sizeof(dsag_%d), NULL);\n", - bits_p, bits_p); - BIO_printf(bio_out, " if (!dsa->p || !dsa->q || !dsa->g) {\n" - " DSA_free(dsa);\n" + BIO_printf(bio_out, " if (!DSA_set0_pqg(dsa, p = BN_bin2bn(dsap_%d, sizeof(dsap_%d), NULL),\n", + bits_p, bits_p); + BIO_printf(bio_out, " q = BN_bin2bn(dsaq_%d, sizeof(dsaq_%d), NULL),\n", + bits_p, bits_p); + BIO_printf(bio_out, " g = BN_bin2bn(dsag_%d, sizeof(dsag_%d), NULL))) {\n", + bits_p, bits_p); + BIO_printf(bio_out, " DSA_free(dsa);\n" + " BN_free(p);\n" + " BN_free(q);\n" + " BN_free(g);\n" " return NULL;\n" " }\n" - " return(dsa);\n}\n"); + " return dsa;\n}\n"); OPENSSL_free(data); } diff --git a/deps/openssl/openssl/apps/ocsp.c b/deps/openssl/openssl/apps/ocsp.c index 4b533348b4..0c15f5114d 100644 --- a/deps/openssl/openssl/apps/ocsp.c +++ b/deps/openssl/openssl/apps/ocsp.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -639,7 +639,6 @@ int ocsp_main(int argc, char **argv) OCSP_response_status_str(i), i); if (ignore_err) goto redo_accept; - ret = 0; goto end; } diff --git a/deps/openssl/openssl/apps/rehash.c b/deps/openssl/openssl/apps/rehash.c index 273ad74969..aa3f8643a5 100644 --- a/deps/openssl/openssl/apps/rehash.c +++ b/deps/openssl/openssl/apps/rehash.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -130,9 +130,10 @@ static int add_entry(enum Type type, unsigned int hash, const char *filename, for (ep = bp->first_entry; ep; ep = ep->next) { if (digest && memcmp(digest, ep->digest, evpmdsize) == 0) { BIO_printf(bio_err, - "%s: skipping duplicate %s in %s\n", opt_getprog(), + "%s: warning: skipping duplicate %s in %s\n", + opt_getprog(), type == TYPE_CERT ? "certificate" : "CRL", filename); - return 1; + return 0; } if (strcmp(filename, ep->filename) == 0) { found = ep; @@ -144,7 +145,7 @@ static int add_entry(enum Type type, unsigned int hash, const char *filename, if (ep == NULL) { if (bp->num_needed >= MAX_COLLISIONS) { BIO_printf(bio_err, - "%s: hash table overflow for %s\n", + "%s: error: hash table overflow for %s\n", opt_getprog(), filename); return 1; } @@ -235,7 +236,7 @@ static int do_file(const char *filename, const char *fullpath, enum Hash h) /* Does it have X.509 data in it? */ if ((b = BIO_new_file(fullpath, "r")) == NULL) { - BIO_printf(bio_err, "%s: skipping %s, cannot open file\n", + BIO_printf(bio_err, "%s: error: skipping %s, cannot open file\n", opt_getprog(), filename); errs++; goto end; @@ -247,7 +248,7 @@ static int do_file(const char *filename, const char *fullpath, enum Hash h) if (sk_X509_INFO_num(inf) != 1) { BIO_printf(bio_err, - "%s: skipping %s," + "%s: warning: skipping %s," "it does not contain exactly one certificate or CRL\n", opt_getprog(), filename); /* This is not an error. */ @@ -502,13 +503,14 @@ int rehash_main(int argc, char **argv) if (*argv) { while (*argv) errs += do_dir(*argv++, h); - } else if ((env = getenv("SSL_CERT_DIR")) != NULL) { + } else if ((env = getenv(X509_get_default_cert_dir_env())) != NULL) { + char lsc[2] = { LIST_SEPARATOR_CHAR, '\0' }; m = OPENSSL_strdup(env); - for (e = strtok(m, ":"); e != NULL; e = strtok(NULL, ":")) + for (e = strtok(m, lsc); e != NULL; e = strtok(NULL, lsc)) errs += do_dir(e, h); OPENSSL_free(m); } else { - errs += do_dir("/etc/ssl/certs", h); + errs += do_dir(X509_get_default_cert_dir(), h); } end: diff --git a/deps/openssl/openssl/apps/s_client.c b/deps/openssl/openssl/apps/s_client.c index fb89f0cd61..3c0c73e851 100644 --- a/deps/openssl/openssl/apps/s_client.c +++ b/deps/openssl/openssl/apps/s_client.c @@ -593,7 +593,8 @@ OPTIONS s_client_options[] = { "Disable name checks when matching DANE-EE(3) TLSA records"}, {"reconnect", OPT_RECONNECT, '-', "Drop and re-make the connection with the same Session-ID"}, - {"showcerts", OPT_SHOWCERTS, '-', "Show all certificates in the chain"}, + {"showcerts", OPT_SHOWCERTS, '-', + "Show all certificates sent by the server"}, {"debug", OPT_DEBUG, '-', "Extra output"}, {"msg", OPT_MSG, '-', "Show protocol messages"}, {"msgfile", OPT_MSGFILE, '>', @@ -2114,8 +2115,7 @@ int s_client_main(int argc, char **argv) FD_ZERO(&readfds); FD_ZERO(&writefds); - if ((SSL_version(con) == DTLS1_VERSION) && - DTLSv1_get_timeout(con, &timeout)) + if (SSL_is_dtls(con) && DTLSv1_get_timeout(con, &timeout)) timeoutp = &timeout; else timeoutp = NULL; @@ -2235,10 +2235,8 @@ int s_client_main(int argc, char **argv) } } - if ((SSL_version(con) == DTLS1_VERSION) - && DTLSv1_handle_timeout(con) > 0) { + if (SSL_is_dtls(con) && DTLSv1_handle_timeout(con) > 0) BIO_printf(bio_err, "TIMEOUT occurred\n"); - } if (!ssl_pending && FD_ISSET(SSL_get_fd(con), &writefds)) { k = SSL_write(con, &(cbuf[cbuf_off]), (unsigned int)cbuf_len); diff --git a/deps/openssl/openssl/apps/s_server.c b/deps/openssl/openssl/apps/s_server.c index 31c90fdd0e..e8aa323a4f 100644 --- a/deps/openssl/openssl/apps/s_server.c +++ b/deps/openssl/openssl/apps/s_server.c @@ -2012,9 +2012,7 @@ static int sv_body(int s, int stype, unsigned char *context) SSL *con = NULL; BIO *sbio; struct timeval timeout; -#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) - struct timeval tv; -#else +#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)) struct timeval *timeoutp; #endif @@ -2149,26 +2147,23 @@ static int sv_body(int s, int stype, unsigned char *context) * second and check for any keypress. In a proper Windows * application we wouldn't do this because it is inefficient. */ - tv.tv_sec = 1; - tv.tv_usec = 0; - i = select(width, (void *)&readfds, NULL, NULL, &tv); + timeout.tv_sec = 1; + timeout.tv_usec = 0; + i = select(width, (void *)&readfds, NULL, NULL, &timeout); if (has_stdin_waiting()) read_from_terminal = 1; if ((i < 0) || (!i && !read_from_terminal)) continue; #else - if ((SSL_version(con) == DTLS1_VERSION) && - DTLSv1_get_timeout(con, &timeout)) + if (SSL_is_dtls(con) && DTLSv1_get_timeout(con, &timeout)) timeoutp = &timeout; else timeoutp = NULL; i = select(width, (void *)&readfds, NULL, NULL, timeoutp); - if ((SSL_version(con) == DTLS1_VERSION) - && DTLSv1_handle_timeout(con) > 0) { + if ((SSL_is_dtls(con)) && DTLSv1_handle_timeout(con) > 0) BIO_printf(bio_err, "TIMEOUT occurred\n"); - } if (i <= 0) continue; diff --git a/deps/openssl/openssl/apps/smime.c b/deps/openssl/openssl/apps/smime.c index 8edb1ed994..e18d7de75f 100644 --- a/deps/openssl/openssl/apps/smime.c +++ b/deps/openssl/openssl/apps/smime.c @@ -89,7 +89,7 @@ OPTIONS smime_options[] = { {"no-CApath", OPT_NOCAPATH, '-', "Do not load certificates from the default certificates directory"}, {"resign", OPT_RESIGN, '-', "Resign a signed message"}, - {"nochain", OPT_NOCHAIN, '-', + {"nochain", OPT_NOCHAIN, '-', "set PKCS7_NOCHAIN so certificates contained in the message are not used as untrusted CAs" }, {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"}, {"stream", OPT_STREAM, '-', "Enable CMS streaming" }, diff --git a/deps/openssl/openssl/apps/speed.c b/deps/openssl/openssl/apps/speed.c index f388a9852d..3ef37b78a6 100644 --- a/deps/openssl/openssl/apps/speed.c +++ b/deps/openssl/openssl/apps/speed.c @@ -129,13 +129,6 @@ #define BUFSIZE (1024*16+1) #define MAX_MISALIGNMENT 63 -#define ALGOR_NUM 30 -#define SIZE_NUM 6 -#define PRIME_NUM 3 -#define RSA_NUM 7 -#define DSA_NUM 3 - -#define EC_NUM 17 #define MAX_ECDH_SIZE 256 #define MISALIGN 64 @@ -144,37 +137,6 @@ static volatile int run = 0; static int mr = 0; static int usertime = 1; -typedef void *(*kdf_fn) ( - const void *in, size_t inlen, void *out, size_t *xoutlen); - -typedef struct loopargs_st { - ASYNC_JOB *inprogress_job; - ASYNC_WAIT_CTX *wait_ctx; - unsigned char *buf; - unsigned char *buf2; - unsigned char *buf_malloc; - unsigned char *buf2_malloc; - unsigned int siglen; -#ifndef OPENSSL_NO_RSA - RSA *rsa_key[RSA_NUM]; -#endif -#ifndef OPENSSL_NO_DSA - DSA *dsa_key[DSA_NUM]; -#endif -#ifndef OPENSSL_NO_EC - EC_KEY *ecdsa[EC_NUM]; - EC_KEY *ecdh_a[EC_NUM]; - EC_KEY *ecdh_b[EC_NUM]; - unsigned char *secret_a; - unsigned char *secret_b; - size_t outlen; - kdf_fn kdf; -#endif - EVP_CIPHER_CTX *ctx; - HMAC_CTX *hctx; - GCM128_CONTEXT *gcm_ctx; -} loopargs_t; - #ifndef OPENSSL_NO_MD2 static int EVP_Digest_MD2_loop(void *args); #endif @@ -227,7 +189,6 @@ static int ECDSA_sign_loop(void *args); static int ECDSA_verify_loop(void *args); static int ECDH_compute_key_loop(void *args); #endif -static int run_benchmark(int async_jobs, int (*loop_function)(void *), loopargs_t *loopargs); static double Time_F(int s); static void print_message(const char *s, long num, int length); @@ -238,32 +199,10 @@ static void print_result(int alg, int run_no, int count, double time_used); static int do_multi(int multi); #endif -static const char *names[ALGOR_NUM] = { - "md2", "mdc2", "md4", "md5", "hmac(md5)", "sha1", "rmd160", "rc4", - "des cbc", "des ede3", "idea cbc", "seed cbc", - "rc2 cbc", "rc5-32/12 cbc", "blowfish cbc", "cast cbc", - "aes-128 cbc", "aes-192 cbc", "aes-256 cbc", - "camellia-128 cbc", "camellia-192 cbc", "camellia-256 cbc", - "evp", "sha256", "sha512", "whirlpool", - "aes-128 ige", "aes-192 ige", "aes-256 ige", "ghash" -}; - -static double results[ALGOR_NUM][SIZE_NUM]; - -static const int lengths[SIZE_NUM] = { +static const int lengths[] = { 16, 64, 256, 1024, 8 * 1024, 16 * 1024 }; - -#ifndef OPENSSL_NO_RSA -static double rsa_results[RSA_NUM][2]; -#endif -#ifndef OPENSSL_NO_DSA -static double dsa_results[DSA_NUM][2]; -#endif -#ifndef OPENSSL_NO_EC -static double ecdsa_results[EC_NUM][2]; -static double ecdh_results[EC_NUM][1]; -#endif +#define SIZE_NUM OSSL_NELEM(lengths) #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_EC) static const char rnd_seed[] = @@ -348,9 +287,14 @@ static double Time_F(int s) static void multiblock_speed(const EVP_CIPHER *evp_cipher); -static int found(const char *name, const OPT_PAIR *pairs, int *result) +#define found(value, pairs, result)\ + opt_found(value, result, pairs, OSSL_NELEM(pairs)) +static int opt_found(const char *name, unsigned int *result, + const OPT_PAIR pairs[], unsigned int nbelem) { - for (; pairs->name; pairs++) + unsigned int idx; + + for (idx = 0; idx < nbelem; ++idx, pairs++) if (strcmp(name, pairs->name) == 0) { *result = pairs->retval; return 1; @@ -387,7 +331,7 @@ OPTIONS speed_options[] = { #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, #endif - {NULL}, + {NULL} }; #define D_MD2 0 @@ -420,7 +364,19 @@ OPTIONS speed_options[] = { #define D_IGE_192_AES 27 #define D_IGE_256_AES 28 #define D_GHASH 29 -static OPT_PAIR doit_choices[] = { +/* name of algorithms to test */ +static const char *names[] = { + "md2", "mdc2", "md4", "md5", "hmac(md5)", "sha1", "rmd160", "rc4", + "des cbc", "des ede3", "idea cbc", "seed cbc", + "rc2 cbc", "rc5-32/12 cbc", "blowfish cbc", "cast cbc", + "aes-128 cbc", "aes-192 cbc", "aes-256 cbc", + "camellia-128 cbc", "camellia-192 cbc", "camellia-256 cbc", + "evp", "sha256", "sha512", "whirlpool", + "aes-128 ige", "aes-192 ige", "aes-256 ige", "ghash" +}; +#define ALGOR_NUM OSSL_NELEM(names) +/* list of configured algorithm (remaining) */ +static const OPT_PAIR doit_choices[] = { #ifndef OPENSSL_NO_MD2 {"md2", D_MD2}, #endif @@ -484,21 +440,24 @@ static OPT_PAIR doit_choices[] = { {"cast", D_CBC_CAST}, {"cast5", D_CBC_CAST}, #endif - {"ghash", D_GHASH}, - {NULL} + {"ghash", D_GHASH} }; +static double results[ALGOR_NUM][SIZE_NUM]; + #ifndef OPENSSL_NO_DSA # define R_DSA_512 0 # define R_DSA_1024 1 # define R_DSA_2048 2 -static OPT_PAIR dsa_choices[] = { +static const OPT_PAIR dsa_choices[] = { {"dsa512", R_DSA_512}, {"dsa1024", R_DSA_1024}, - {"dsa2048", R_DSA_2048}, - {NULL}, + {"dsa2048", R_DSA_2048} }; -#endif +# define DSA_NUM OSSL_NELEM(dsa_choices) + +static double dsa_results[DSA_NUM][2]; /* 2 ops: sign then verify */ +#endif /* OPENSSL_NO_DSA */ #define R_RSA_512 0 #define R_RSA_1024 1 @@ -507,16 +466,18 @@ static OPT_PAIR dsa_choices[] = { #define R_RSA_4096 4 #define R_RSA_7680 5 #define R_RSA_15360 6 -static OPT_PAIR rsa_choices[] = { +static const OPT_PAIR rsa_choices[] = { {"rsa512", R_RSA_512}, {"rsa1024", R_RSA_1024}, {"rsa2048", R_RSA_2048}, {"rsa3072", R_RSA_3072}, {"rsa4096", R_RSA_4096}, {"rsa7680", R_RSA_7680}, - {"rsa15360", R_RSA_15360}, - {NULL} + {"rsa15360", R_RSA_15360} }; +# define RSA_NUM OSSL_NELEM(rsa_choices) + +static double rsa_results[RSA_NUM][2]; /* 2 ops: sign then verify */ #define R_EC_P160 0 #define R_EC_P192 1 @@ -536,7 +497,7 @@ static OPT_PAIR rsa_choices[] = { #define R_EC_B571 15 #define R_EC_X25519 16 #ifndef OPENSSL_NO_EC -static OPT_PAIR ecdsa_choices[] = { +static const OPT_PAIR ecdsa_choices[] = { {"ecdsap160", R_EC_P160}, {"ecdsap192", R_EC_P192}, {"ecdsap224", R_EC_P224}, @@ -552,11 +513,13 @@ static OPT_PAIR ecdsa_choices[] = { {"ecdsab233", R_EC_B233}, {"ecdsab283", R_EC_B283}, {"ecdsab409", R_EC_B409}, - {"ecdsab571", R_EC_B571}, - {NULL} + {"ecdsab571", R_EC_B571} }; +# define ECDSA_NUM OSSL_NELEM(ecdsa_choices) + +static double ecdsa_results[ECDSA_NUM][2]; /* 2 ops: sign then verify */ -static OPT_PAIR ecdh_choices[] = { +static const OPT_PAIR ecdh_choices[] = { {"ecdhp160", R_EC_P160}, {"ecdhp192", R_EC_P192}, {"ecdhp224", R_EC_P224}, @@ -576,7 +539,10 @@ static OPT_PAIR ecdh_choices[] = { {"ecdhx25519", R_EC_X25519}, {NULL} }; -#endif +# define EC_NUM OSSL_NELEM(ecdh_choices) + +static double ecdh_results[EC_NUM][1]; /* 1 op: derivation */ +#endif /* OPENSSL_NO_EC */ #ifndef SIGALRM # define COND(d) (count < (d)) @@ -586,7 +552,40 @@ static OPT_PAIR ecdh_choices[] = { # define COUNT(d) (count) #endif /* SIGALRM */ -static int testnum; +static unsigned int testnum; +typedef void *(*kdf_fn) (const void *in, size_t inlen, void *out, + size_t *xoutlen); + +typedef struct loopargs_st { + ASYNC_JOB *inprogress_job; + ASYNC_WAIT_CTX *wait_ctx; + unsigned char *buf; + unsigned char *buf2; + unsigned char *buf_malloc; + unsigned char *buf2_malloc; + unsigned int siglen; +#ifndef OPENSSL_NO_RSA + RSA *rsa_key[RSA_NUM]; +#endif +#ifndef OPENSSL_NO_DSA + DSA *dsa_key[DSA_NUM]; +#endif +#ifndef OPENSSL_NO_EC + EC_KEY *ecdsa[ECDSA_NUM]; + EC_KEY *ecdh_a[EC_NUM]; + EC_KEY *ecdh_b[EC_NUM]; + unsigned char *secret_a; + unsigned char *secret_b; + size_t outlen; + kdf_fn kdf; +#endif + EVP_CIPHER_CTX *ctx; + HMAC_CTX *hctx; + GCM128_CONTEXT *gcm_ctx; +} loopargs_t; + +static int run_benchmark(int async_jobs, int (*loop_function) (void *), + loopargs_t * loopargs); /* Nb of iterations to do per algorithm and key-size */ static long c[ALGOR_NUM][SIZE_NUM]; @@ -995,7 +994,7 @@ static int DSA_verify_loop(void *args) #endif #ifndef OPENSSL_NO_EC -static long ecdsa_c[EC_NUM][2]; +static long ecdsa_c[ECDSA_NUM][2]; static int ECDSA_sign_loop(void *args) { loopargs_t *tempargs = *(loopargs_t **)args; @@ -1188,8 +1187,8 @@ static int run_benchmark(int async_jobs, continue; #endif - ret = ASYNC_start_job(&loopargs[i].inprogress_job, - loopargs[i].wait_ctx, &job_op_count, loop_function, + ret = ASYNC_start_job(&loopargs[i].inprogress_job, + loopargs[i].wait_ctx, &job_op_count, loop_function, (void *)(loopargs + i), sizeof(loopargs_t)); switch (ret) { case ASYNC_PAUSE: @@ -1222,26 +1221,23 @@ int speed_main(int argc, char **argv) { ENGINE *e = NULL; loopargs_t *loopargs = NULL; - int async_init = 0; - int loopargs_len = 0; - char *prog; + const char *prog; const char *engine_id = NULL; const EVP_CIPHER *evp_cipher = NULL; double d = 0.0; OPTION_CHOICE o; - int multiblock = 0, pr_header = 0; + int async_init = 0, multiblock = 0, pr_header = 0; int doit[ALGOR_NUM] = { 0 }; - int ret = 1, i, k, misalign = 0; + int ret = 1, misalign = 0; long count = 0; + unsigned int i, k, loop, loopargs_len = 0, async_jobs = 0; #ifndef NO_FORK int multi = 0; #endif - unsigned int async_jobs = 0; #if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) \ || !defined(OPENSSL_NO_EC) long rsa_count = 1; #endif - size_t loop; /* What follows are the buffers and key material. */ #ifndef OPENSSL_NO_RC5 @@ -1325,7 +1321,7 @@ int speed_main(int argc, char **argv) /* * We only test over the following curves as they are representative, To * add tests over more curves, simply add the curve NID and curve name to - * the following arrays and increase the EC_NUM value accordingly. + * the following arrays and increase the |ecdh_choices| list accordingly. */ static const unsigned int test_curves[EC_NUM] = { /* Prime Curves */ @@ -1360,7 +1356,7 @@ int speed_main(int argc, char **argv) 571, 253 /* X25519 */ }; - int ecdsa_doit[EC_NUM] = { 0 }; + int ecdsa_doit[ECDSA_NUM] = { 0 }; int ecdh_doit[EC_NUM] = { 0 }; #endif /* ndef OPENSSL_NO_EC */ @@ -1418,9 +1414,7 @@ int speed_main(int argc, char **argv) goto opterr; } if (async_jobs > 99999) { - BIO_printf(bio_err, - "%s: too many async_jobs\n", - prog); + BIO_printf(bio_err, "%s: too many async_jobs\n", prog); goto opterr; } #endif @@ -1471,10 +1465,8 @@ int speed_main(int argc, char **argv) if (strcmp(*argv, "openssl") == 0) continue; if (strcmp(*argv, "rsa") == 0) { - rsa_doit[R_RSA_512] = rsa_doit[R_RSA_1024] = - rsa_doit[R_RSA_2048] = rsa_doit[R_RSA_3072] = - rsa_doit[R_RSA_4096] = rsa_doit[R_RSA_7680] = - rsa_doit[R_RSA_15360] = 1; + for (loop = 0; loop < OSSL_NELEM(rsa_doit); loop++) + rsa_doit[loop] = 1; continue; } if (found(*argv, rsa_choices, &i)) { @@ -1507,8 +1499,8 @@ int speed_main(int argc, char **argv) #endif #ifndef OPENSSL_NO_EC if (strcmp(*argv, "ecdsa") == 0) { - for (loop = 0; loop < OSSL_NELEM(ecdsa_choices); loop++) - ecdsa_doit[ecdsa_choices[loop].retval] = 1; + for (loop = 0; loop < OSSL_NELEM(ecdsa_doit); loop++) + ecdsa_doit[loop] = 1; continue; } if (found(*argv, ecdsa_choices, &i)) { @@ -1516,8 +1508,8 @@ int speed_main(int argc, char **argv) continue; } if (strcmp(*argv, "ecdh") == 0) { - for (loop = 0; loop < OSSL_NELEM(ecdh_choices); loop++) - ecdh_doit[ecdh_choices[loop].retval] = 1; + for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++) + ecdh_doit[loop] = 1; continue; } if (found(*argv, ecdh_choices, &i)) { @@ -1584,10 +1576,10 @@ int speed_main(int argc, char **argv) dsa_doit[i] = 1; #endif #ifndef OPENSSL_NO_EC - for (loop = 0; loop < OSSL_NELEM(ecdsa_choices); loop++) - ecdsa_doit[ecdsa_choices[loop].retval] = 1; - for (loop = 0; loop < OSSL_NELEM(ecdh_choices); loop++) - ecdh_doit[ecdh_choices[loop].retval] = 1; + for (loop = 0; loop < OSSL_NELEM(ecdsa_doit); loop++) + ecdsa_doit[loop] = 1; + for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++) + ecdh_doit[loop] = 1; #endif } for (i = 0; i < ALGOR_NUM; i++) @@ -1850,6 +1842,8 @@ int speed_main(int argc, char **argv) } } } + /* default iteration count for the last EC Curve */ + ecdh_c[R_EC_X25519][0] = count / 1800; # endif # else @@ -2472,7 +2466,7 @@ int speed_main(int argc, char **argv) if (RAND_status() != 1) { RAND_seed(rnd_seed, sizeof(rnd_seed)); } - for (testnum = 0; testnum < EC_NUM; testnum++) { + for (testnum = 0; testnum < ECDSA_NUM; testnum++) { int st = 1; if (!ecdsa_doit[testnum]) @@ -2584,7 +2578,7 @@ int speed_main(int argc, char **argv) ecdh_checks = 0; rsa_count = 1; } else { - int secret_size_a, secret_size_b; + int secret_size_a, secret_size_b, j; /* * If field size is not more than 24 octets, then use SHA-1 * hash of result; otherwise, use result (see section 4.8 of @@ -2613,8 +2607,8 @@ int speed_main(int argc, char **argv) else ecdh_checks = 1; - for (k = 0; k < secret_size_a && ecdh_checks == 1; k++) { - if (loopargs[i].secret_a[k] != loopargs[i].secret_b[k]) + for (j = 0; j < secret_size_a && ecdh_checks == 1; j++) { + if (loopargs[i].secret_a[j] != loopargs[i].secret_b[j]) ecdh_checks = 0; } @@ -2644,7 +2638,7 @@ int speed_main(int argc, char **argv) if (rsa_count <= 1) { /* if longer than 10s, don't do any more */ - for (testnum++; testnum < EC_NUM; testnum++) + for (testnum++; testnum < OSSL_NELEM(ecdh_doit); testnum++) ecdh_doit[testnum] = 0; } } @@ -2693,7 +2687,7 @@ int speed_main(int argc, char **argv) if (!doit[k]) continue; if (mr) - printf("+F:%d:%s", k, names[k]); + printf("+F:%u:%s", k, names[k]); else printf("%-13s", names[k]); for (testnum = 0; testnum < SIZE_NUM; testnum++) { @@ -2742,7 +2736,7 @@ int speed_main(int argc, char **argv) #endif #ifndef OPENSSL_NO_EC testnum = 1; - for (k = 0; k < EC_NUM; k++) { + for (k = 0; k < OSSL_NELEM(ecdsa_doit); k++) { if (!ecdsa_doit[k]) continue; if (testnum && !mr) { @@ -2800,8 +2794,9 @@ int speed_main(int argc, char **argv) DSA_free(loopargs[i].dsa_key[k]); #endif #ifndef OPENSSL_NO_EC - for (k = 0; k < EC_NUM; k++) { + for (k = 0; k < ECDSA_NUM; k++) EC_KEY_free(loopargs[i].ecdsa[k]); + for (k = 0; k < EC_NUM; k++) { EC_KEY_free(loopargs[i].ecdh_a[k]); EC_KEY_free(loopargs[i].ecdh_b[k]); } @@ -2950,7 +2945,7 @@ static int do_multi(int multi) printf("Got: %s from %d\n", buf, n); if (strncmp(buf, "+F:", 3) == 0) { int alg; - int j; + unsigned int j; p = buf + 3; alg = atoi(sstrsep(&p, sep)); diff --git a/deps/openssl/openssl/apps/verify.c b/deps/openssl/openssl/apps/verify.c index 0925ee627f..8bcbff6177 100644 --- a/deps/openssl/openssl/apps/verify.c +++ b/deps/openssl/openssl/apps/verify.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -219,6 +219,7 @@ static int check(X509_STORE *ctx, const char *file, X509_STORE_set_flags(ctx, vflags); if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) { + X509_STORE_CTX_free(csc); printf("error %s: X.509 store context initialization failed\n", (file == NULL) ? "stdin" : file); goto end; diff --git a/deps/openssl/openssl/appveyor.yml b/deps/openssl/openssl/appveyor.yml index 8dd6cb6fb0..ba291fdd17 100644 --- a/deps/openssl/openssl/appveyor.yml +++ b/deps/openssl/openssl/appveyor.yml @@ -41,5 +41,5 @@ test_script: - cd _build - nmake test - mkdir ..\_install - - nmake install install_docs DESTDIR=..\_install + - nmake install DESTDIR=..\_install - cd .. diff --git a/deps/openssl/openssl/config b/deps/openssl/openssl/config index 6331d905b4..35e849a958 100755 --- a/deps/openssl/openssl/config +++ b/deps/openssl/openssl/config @@ -923,7 +923,7 @@ if [ $? = "0" ]; then if [ "$VERBOSE" = "true" ]; then echo $PERL $THERE/Configure $OUT $options - fi + fi if [ "$DRYRUN" = "false" ]; then $PERL $THERE/Configure $OUT $options fi diff --git a/deps/openssl/openssl/crypto/aes/asm/vpaes-armv8.pl b/deps/openssl/openssl/crypto/aes/asm/vpaes-armv8.pl index 2e704a2124..d6b5f561c4 100755 --- a/deps/openssl/openssl/crypto/aes/asm/vpaes-armv8.pl +++ b/deps/openssl/openssl/crypto/aes/asm/vpaes-armv8.pl @@ -769,7 +769,7 @@ _vpaes_schedule_core: ld1 {v0.16b}, [$inp] // vmovdqu 16(%rdi),%xmm0 # load key part 2 (unaligned) bl _vpaes_schedule_transform // input transform mov $inp, #7 // mov \$7, %esi - + .Loop_schedule_256: sub $inp, $inp, #1 // dec %esi bl _vpaes_schedule_mangle // output low result @@ -778,7 +778,7 @@ _vpaes_schedule_core: // high round bl _vpaes_schedule_round cbz $inp, .Lschedule_mangle_last - bl _vpaes_schedule_mangle + bl _vpaes_schedule_mangle // low round. swap xmm7 and xmm6 dup v0.4s, v0.s[3] // vpshufd \$0xFF, %xmm0, %xmm0 @@ -787,7 +787,7 @@ _vpaes_schedule_core: mov v7.16b, v6.16b // vmovdqa %xmm6, %xmm7 bl _vpaes_schedule_low_round mov v7.16b, v5.16b // vmovdqa %xmm5, %xmm7 - + b .Loop_schedule_256 ## @@ -814,7 +814,7 @@ _vpaes_schedule_core: .Lschedule_mangle_last_dec: ld1 {v20.2d-v21.2d}, [x11] // reload constants - sub $out, $out, #16 // add \$-16, %rdx + sub $out, $out, #16 // add \$-16, %rdx eor v0.16b, v0.16b, v16.16b // vpxor .Lk_s63(%rip), %xmm0, %xmm0 bl _vpaes_schedule_transform // output transform st1 {v0.2d}, [$out] // vmovdqu %xmm0, (%rdx) # save last key diff --git a/deps/openssl/openssl/crypto/aes/build.info b/deps/openssl/openssl/crypto/aes/build.info index 5240b9c87f..cf6cb5ec25 100644 --- a/deps/openssl/openssl/crypto/aes/build.info +++ b/deps/openssl/openssl/crypto/aes/build.info @@ -45,9 +45,6 @@ INCLUDE[aes-armv4.o]=.. GENERATE[bsaes-armv7.S]=asm/bsaes-armv7.pl $(PERLASM_SCHEME) INCLUDE[bsaes-armv7.o]=.. -GENERATE[aes-s390x.S]=asm/aes-s390x.pl $(PERLASM_SCHEME) -INCLUDE[aes-s390x.o]=.. - BEGINRAW[Makefile] ##### AES assembler implementations diff --git a/deps/openssl/openssl/crypto/arm_arch.h b/deps/openssl/openssl/crypto/arm_arch.h index 3fc9e69b1c..25419e0df1 100644 --- a/deps/openssl/openssl/crypto/arm_arch.h +++ b/deps/openssl/openssl/crypto/arm_arch.h @@ -1,5 +1,5 @@ /* - * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -69,7 +69,7 @@ # endif # endif -# if !__ASSEMBLER__ +# ifndef __ASSEMBLER__ extern unsigned int OPENSSL_armcap_P; # endif diff --git a/deps/openssl/openssl/crypto/armcap.c b/deps/openssl/openssl/crypto/armcap.c index 432a06c0c1..28e97c8c4a 100644 --- a/deps/openssl/openssl/crypto/armcap.c +++ b/deps/openssl/openssl/crypto/armcap.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -13,6 +13,7 @@ #include <setjmp.h> #include <signal.h> #include <openssl/crypto.h> +#include <internal/cryptlib.h> #include "arm_arch.h" diff --git a/deps/openssl/openssl/crypto/armv4cpuid.pl b/deps/openssl/openssl/crypto/armv4cpuid.pl index f7d31a698a..ab007c19c3 100644 --- a/deps/openssl/openssl/crypto/armv4cpuid.pl +++ b/deps/openssl/openssl/crypto/armv4cpuid.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -125,7 +125,7 @@ CRYPTO_memcmp: ldmia sp!,{r4,r5} .Lno_data: - neg r0,ip + rsb r0,ip,#0 mov r0,r0,lsr#31 #if __ARM_ARCH__>=5 bx lr diff --git a/deps/openssl/openssl/crypto/asn1/a_object.c b/deps/openssl/openssl/crypto/asn1/a_object.c index 1ec7a7e15f..7d332ec2f6 100644 --- a/deps/openssl/openssl/crypto/asn1/a_object.c +++ b/deps/openssl/openssl/crypto/asn1/a_object.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -19,7 +19,7 @@ int i2d_ASN1_OBJECT(const ASN1_OBJECT *a, unsigned char **pp) { - unsigned char *p; + unsigned char *p, *allocated = NULL; int objsize; if ((a == NULL) || (a->data == NULL)) @@ -29,13 +29,24 @@ int i2d_ASN1_OBJECT(const ASN1_OBJECT *a, unsigned char **pp) if (pp == NULL || objsize == -1) return objsize; - p = *pp; + if (*pp == NULL) { + if ((p = allocated = OPENSSL_malloc(objsize)) == NULL) { + ASN1err(ASN1_F_I2D_ASN1_OBJECT, ERR_R_MALLOC_FAILURE); + return 0; + } + } else { + p = *pp; + } + ASN1_put_object(&p, 0, a->length, V_ASN1_OBJECT, V_ASN1_UNIVERSAL); memcpy(p, a->data, a->length); - p += a->length; - *pp = p; - return (objsize); + /* + * If a new buffer was allocated, just return it back. + * If not, return the incremented buffer pointer. + */ + *pp = allocated != NULL ? allocated : p + a->length; + return objsize; } int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num) diff --git a/deps/openssl/openssl/crypto/asn1/a_strex.c b/deps/openssl/openssl/crypto/asn1/a_strex.c index b91266b3c5..207190c52b 100644 --- a/deps/openssl/openssl/crypto/asn1/a_strex.c +++ b/deps/openssl/openssl/crypto/asn1/a_strex.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -139,7 +139,7 @@ static int do_buf(unsigned char *buf, int buflen, int type, unsigned short flags, char *quotes, char_io *io_ch, void *arg) { - int i, outlen, len; + int i, outlen, len, charwidth; unsigned short orflags; unsigned char *p, *q; unsigned long c; @@ -147,12 +147,32 @@ static int do_buf(unsigned char *buf, int buflen, p = buf; q = buf + buflen; outlen = 0; + charwidth = type & BUF_TYPE_WIDTH_MASK; + + switch (charwidth) { + case 4: + if (buflen & 3) { + ASN1err(ASN1_F_DO_BUF, ASN1_R_INVALID_UNIVERSALSTRING_LENGTH); + return -1; + } + break; + case 2: + if (buflen & 1) { + ASN1err(ASN1_F_DO_BUF, ASN1_R_INVALID_BMPSTRING_LENGTH); + return -1; + } + break; + default: + break; + } + while (p != q) { if (p == buf && flags & ASN1_STRFLGS_ESC_2253) orflags = CHARTYPE_FIRST_ESC_2253; else orflags = 0; - switch (type & BUF_TYPE_WIDTH_MASK) { + + switch (charwidth) { case 4: c = ((unsigned long)*p++) << 24; c |= ((unsigned long)*p++) << 16; @@ -173,6 +193,7 @@ static int do_buf(unsigned char *buf, int buflen, i = UTF8_getc(p, buflen, &c); if (i < 0) return -1; /* Invalid UTF8String */ + buflen -= i; p += i; break; default: @@ -592,53 +613,3 @@ int ASN1_STRING_to_UTF8(unsigned char **out, const ASN1_STRING *in) *out = stmp.data; return stmp.length; } - -/* Return 1 if host is a valid hostname and 0 otherwise */ -int asn1_valid_host(const ASN1_STRING *host) -{ - int hostlen = host->length; - const unsigned char *hostptr = host->data; - int type = host->type; - int i; - signed char width = -1; - unsigned short chflags = 0, prevchflags; - - if (type > 0 && type < 31) - width = tag2nbyte[type]; - if (width == -1 || hostlen == 0) - return 0; - /* Treat UTF8String as width 1 as any MSB set is invalid */ - if (width == 0) - width = 1; - for (i = 0 ; i < hostlen; i+= width) { - prevchflags = chflags; - /* Value must be <= 0x7F: check upper bytes are all zeroes */ - if (width == 4) { - if (*hostptr++ != 0 || *hostptr++ != 0 || *hostptr++ != 0) - return 0; - } else if (width == 2) { - if (*hostptr++ != 0) - return 0; - } - if (*hostptr > 0x7f) - return 0; - chflags = char_type[*hostptr++]; - if (!(chflags & (CHARTYPE_HOST_ANY | CHARTYPE_HOST_WILD))) { - /* Nothing else allowed at start or end of string */ - if (i == 0 || i == hostlen - 1) - return 0; - /* Otherwise invalid if not dot or hyphen */ - if (!(chflags & (CHARTYPE_HOST_DOT | CHARTYPE_HOST_HYPHEN))) - return 0; - /* - * If previous is dot or hyphen then illegal unless both - * are hyphens: as .- -. .. are all illegal - */ - if (prevchflags & (CHARTYPE_HOST_DOT | CHARTYPE_HOST_HYPHEN) - && ((prevchflags & CHARTYPE_HOST_DOT) - || (chflags & CHARTYPE_HOST_DOT))) - return 0; - } - } - return 1; -} diff --git a/deps/openssl/openssl/crypto/asn1/ameth_lib.c b/deps/openssl/openssl/crypto/asn1/ameth_lib.c index b8ba067877..9b0a2ccb20 100644 --- a/deps/openssl/openssl/crypto/asn1/ameth_lib.c +++ b/deps/openssl/openssl/crypto/asn1/ameth_lib.c @@ -255,6 +255,18 @@ EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags, goto err; } + /* + * One of the following must be true: + * + * pem_str == NULL AND ASN1_PKEY_ALIAS is set + * pem_str != NULL AND ASN1_PKEY_ALIAS is clear + * + * Anything else is an error and may lead to a corrupt ASN1 method table + */ + if (!((pem_str == NULL && (flags & ASN1_PKEY_ALIAS) != 0) + || (pem_str != NULL && (flags & ASN1_PKEY_ALIAS) == 0))) + goto err; + if (pem_str) { ameth->pem_str = OPENSSL_strdup(pem_str); if (!ameth->pem_str) diff --git a/deps/openssl/openssl/crypto/asn1/asn1_err.c b/deps/openssl/openssl/crypto/asn1/asn1_err.c index 8602c408d9..5d895d3009 100644 --- a/deps/openssl/openssl/crypto/asn1/asn1_err.c +++ b/deps/openssl/openssl/crypto/asn1/asn1_err.c @@ -92,8 +92,10 @@ static ERR_STRING_DATA ASN1_str_functs[] = { {ERR_FUNC(ASN1_F_D2I_AUTOPRIVATEKEY), "d2i_AutoPrivateKey"}, {ERR_FUNC(ASN1_F_D2I_PRIVATEKEY), "d2i_PrivateKey"}, {ERR_FUNC(ASN1_F_D2I_PUBLICKEY), "d2i_PublicKey"}, + {ERR_FUNC(ASN1_F_DO_BUF), "do_buf"}, {ERR_FUNC(ASN1_F_DO_TCREATE), "do_tcreate"}, {ERR_FUNC(ASN1_F_I2D_ASN1_BIO_STREAM), "i2d_ASN1_bio_stream"}, + {ERR_FUNC(ASN1_F_I2D_ASN1_OBJECT), "i2d_ASN1_OBJECT"}, {ERR_FUNC(ASN1_F_I2D_DSA_PUBKEY), "i2d_DSA_PUBKEY"}, {ERR_FUNC(ASN1_F_I2D_EC_PUBKEY), "i2d_EC_PUBKEY"}, {ERR_FUNC(ASN1_F_I2D_PRIVATEKEY), "i2d_PrivateKey"}, diff --git a/deps/openssl/openssl/crypto/asn1/asn_mime.c b/deps/openssl/openssl/crypto/asn1/asn_mime.c index 84475e9470..da0085f680 100644 --- a/deps/openssl/openssl/crypto/asn1/asn_mime.c +++ b/deps/openssl/openssl/crypto/asn1/asn_mime.c @@ -969,12 +969,14 @@ static int strip_eol(char *linebuf, int *plen, int flags) p = linebuf + len - 1; for (p = linebuf + len - 1; len > 0; len--, p--) { c = *p; - if (c == '\n') + if (c == '\n') { is_eol = 1; - else if (is_eol && flags & SMIME_ASCIICRLF && c < 33) + } else if (is_eol && flags & SMIME_ASCIICRLF && c == 32) { + /* Strip trailing space on a line; 32 == ASCII for ' ' */ continue; - else if (c != '\r') + } else if (c != '\r') { break; + } } *plen = len; return is_eol; diff --git a/deps/openssl/openssl/crypto/asn1/p5_scrypt.c b/deps/openssl/openssl/crypto/asn1/p5_scrypt.c index 4cb7837498..10a7360233 100644 --- a/deps/openssl/openssl/crypto/asn1/p5_scrypt.c +++ b/deps/openssl/openssl/crypto/asn1/p5_scrypt.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -91,7 +91,7 @@ X509_ALGOR *PKCS5_pbe2_set_scrypt(const EVP_CIPHER *cipher, if (EVP_CIPHER_iv_length(cipher)) { if (aiv) memcpy(iv, aiv, EVP_CIPHER_iv_length(cipher)); - else if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0) + else if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) <= 0) goto err; } diff --git a/deps/openssl/openssl/crypto/asn1/tasn_enc.c b/deps/openssl/openssl/crypto/asn1/tasn_enc.c index caa48696da..3b723a1845 100644 --- a/deps/openssl/openssl/crypto/asn1/tasn_enc.c +++ b/deps/openssl/openssl/crypto/asn1/tasn_enc.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -528,6 +528,8 @@ static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, otmp = (ASN1_OBJECT *)*pval; cont = otmp->data; len = otmp->length; + if (cont == NULL || len == 0) + return -1; break; case V_ASN1_NULL: diff --git a/deps/openssl/openssl/crypto/asn1/tasn_utl.c b/deps/openssl/openssl/crypto/asn1/tasn_utl.c index f79d7d6b44..832603b1db 100644 --- a/deps/openssl/openssl/crypto/asn1/tasn_utl.c +++ b/deps/openssl/openssl/crypto/asn1/tasn_utl.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -76,7 +76,7 @@ int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it) } return 1; } - if (CRYPTO_atomic_add(lck, op, &ret, *lock) < 0) + if (!CRYPTO_atomic_add(lck, op, &ret, *lock)) return -1; /* failed */ #ifdef REF_PRINT fprintf(stderr, "%p:%4d:%s\n", it, *lck, it->sname); diff --git a/deps/openssl/openssl/crypto/asn1/x_int64.c b/deps/openssl/openssl/crypto/asn1/x_int64.c index cbfa787362..4433167a44 100644 --- a/deps/openssl/openssl/crypto/asn1/x_int64.c +++ b/deps/openssl/openssl/crypto/asn1/x_int64.c @@ -262,3 +262,4 @@ ASN1_ITEM_start(ZUINT64) ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &uint64_pf, INTxx_FLAG_ZERO_DEFAULT, "ZUINT64" ASN1_ITEM_end(ZUINT64) + diff --git a/deps/openssl/openssl/crypto/async/arch/async_null.c b/deps/openssl/openssl/crypto/async/arch/async_null.c index da23c532b4..3eaf170f2e 100644 --- a/deps/openssl/openssl/crypto/async/arch/async_null.c +++ b/deps/openssl/openssl/crypto/async/arch/async_null.c @@ -20,3 +20,4 @@ void async_local_cleanup(void) { } #endif + diff --git a/deps/openssl/openssl/crypto/async/async.c b/deps/openssl/openssl/crypto/async/async.c index 9a4e6b2657..0862cca21a 100644 --- a/deps/openssl/openssl/crypto/async/async.c +++ b/deps/openssl/openssl/crypto/async/async.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -30,11 +30,12 @@ static CRYPTO_THREAD_LOCAL ctxkey; static CRYPTO_THREAD_LOCAL poolkey; -static void async_free_pool_internal(async_pool *pool); - static async_ctx *async_ctx_new(void) { - async_ctx *nctx = NULL; + async_ctx *nctx; + + if (!ossl_init_thread_start(OPENSSL_INIT_THREAD_ASYNC)) + return NULL; nctx = OPENSSL_malloc(sizeof(async_ctx)); if (nctx == NULL) { @@ -57,9 +58,6 @@ err: async_ctx *async_get_ctx(void) { - if (!OPENSSL_init_crypto(OPENSSL_INIT_ASYNC, NULL)) - return NULL; - return (async_ctx *)CRYPTO_THREAD_get_local(&ctxkey); } @@ -169,16 +167,19 @@ void async_start_func(void) int ASYNC_start_job(ASYNC_JOB **job, ASYNC_WAIT_CTX *wctx, int *ret, int (*func)(void *), void *args, size_t size) { - async_ctx *ctx = async_get_ctx(); + async_ctx *ctx; + + if (!OPENSSL_init_crypto(OPENSSL_INIT_ASYNC, NULL)) + return ASYNC_ERR; + + ctx = async_get_ctx(); if (ctx == NULL) ctx = async_ctx_new(); - if (ctx == NULL) { + if (ctx == NULL) return ASYNC_ERR; - } - if (*job) { + if (*job) ctx->currjob = *job; - } for (;;) { if (ctx->currjob != NULL) { @@ -219,9 +220,8 @@ int ASYNC_start_job(ASYNC_JOB **job, ASYNC_WAIT_CTX *wctx, int *ret, } /* Start a new job */ - if ((ctx->currjob = async_get_pool_job()) == NULL) { + if ((ctx->currjob = async_get_pool_job()) == NULL) return ASYNC_NO_JOBS; - } if (args != NULL) { ctx->currjob->funcargs = OPENSSL_malloc(size); @@ -323,12 +323,11 @@ int ASYNC_init_thread(size_t max_size, size_t init_size) return 0; } - if (!OPENSSL_init_crypto(OPENSSL_INIT_ASYNC, NULL)) { + if (!OPENSSL_init_crypto(OPENSSL_INIT_ASYNC, NULL)) return 0; - } - if (!ossl_init_thread_start(OPENSSL_INIT_THREAD_ASYNC)) { + + if (!ossl_init_thread_start(OPENSSL_INIT_THREAD_ASYNC)) return 0; - } pool = OPENSSL_zalloc(sizeof(*pool)); if (pool == NULL) { @@ -369,32 +368,41 @@ int ASYNC_init_thread(size_t max_size, size_t init_size) return 1; err: - async_free_pool_internal(pool); + async_empty_pool(pool); + sk_ASYNC_JOB_free(pool->jobs); + OPENSSL_free(pool); return 0; } -static void async_free_pool_internal(async_pool *pool) +void async_delete_thread_state(void) { - if (pool == NULL) - return; + async_pool *pool = (async_pool *)CRYPTO_THREAD_get_local(&poolkey); - async_empty_pool(pool); - sk_ASYNC_JOB_free(pool->jobs); - OPENSSL_free(pool); - CRYPTO_THREAD_set_local(&poolkey, NULL); + if (pool != NULL) { + async_empty_pool(pool); + sk_ASYNC_JOB_free(pool->jobs); + OPENSSL_free(pool); + CRYPTO_THREAD_set_local(&poolkey, NULL); + } async_local_cleanup(); async_ctx_free(); } void ASYNC_cleanup_thread(void) { - async_free_pool_internal((async_pool *)CRYPTO_THREAD_get_local(&poolkey)); + if (!OPENSSL_init_crypto(OPENSSL_INIT_ASYNC, NULL)) + return; + + async_delete_thread_state(); } ASYNC_JOB *ASYNC_get_current_job(void) { async_ctx *ctx; + if (!OPENSSL_init_crypto(OPENSSL_INIT_ASYNC, NULL)) + return NULL; + ctx = async_get_ctx(); if (ctx == NULL) return NULL; @@ -409,7 +417,12 @@ ASYNC_WAIT_CTX *ASYNC_get_wait_ctx(ASYNC_JOB *job) void ASYNC_block_pause(void) { - async_ctx *ctx = async_get_ctx(); + async_ctx *ctx; + + if (!OPENSSL_init_crypto(OPENSSL_INIT_ASYNC, NULL)) + return; + + ctx = async_get_ctx(); if (ctx == NULL || ctx->currjob == NULL) { /* * We're not in a job anyway so ignore this @@ -421,7 +434,12 @@ void ASYNC_block_pause(void) void ASYNC_unblock_pause(void) { - async_ctx *ctx = async_get_ctx(); + async_ctx *ctx; + + if (!OPENSSL_init_crypto(OPENSSL_INIT_ASYNC, NULL)) + return; + + ctx = async_get_ctx(); if (ctx == NULL || ctx->currjob == NULL) { /* * We're not in a job anyway so ignore this diff --git a/deps/openssl/openssl/crypto/async/async_locl.h b/deps/openssl/openssl/crypto/async/async_locl.h index 0fe302a4ce..f0ac05a3db 100644 --- a/deps/openssl/openssl/crypto/async/async_locl.h +++ b/deps/openssl/openssl/crypto/async/async_locl.h @@ -74,3 +74,4 @@ void async_start_func(void); async_ctx *async_get_ctx(void); void async_wait_ctx_reset_counts(ASYNC_WAIT_CTX *ctx); + diff --git a/deps/openssl/openssl/crypto/bio/b_addr.c b/deps/openssl/openssl/crypto/bio/b_addr.c index aea843a7b9..6ed1652c8a 100644 --- a/deps/openssl/openssl/crypto/bio/b_addr.c +++ b/deps/openssl/openssl/crypto/bio/b_addr.c @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -66,18 +66,18 @@ void BIO_ADDR_clear(BIO_ADDR *ap) int BIO_ADDR_make(BIO_ADDR *ap, const struct sockaddr *sa) { if (sa->sa_family == AF_INET) { - ap->s_in = *(const struct sockaddr_in *)sa; + memcpy(&(ap->s_in), sa, sizeof(struct sockaddr_in)); return 1; } #ifdef AF_INET6 if (sa->sa_family == AF_INET6) { - ap->s_in6 = *(const struct sockaddr_in6 *)sa; + memcpy(&(ap->s_in6), sa, sizeof(struct sockaddr_in6)); return 1; } #endif #ifdef AF_UNIX if (sa->sa_family == AF_UNIX) { - ap->s_un = *(const struct sockaddr_un *)sa; + memcpy(&(ap->s_un), sa, sizeof(struct sockaddr_un)); return 1; } #endif @@ -604,7 +604,8 @@ static int addrinfo_wrap(int family, int socktype, DEFINE_RUN_ONCE_STATIC(do_bio_lookup_init) { - OPENSSL_init_crypto(0, NULL); + if (!OPENSSL_init_crypto(0, NULL)) + return 0; bio_lookup_lock = CRYPTO_THREAD_lock_new(); return bio_lookup_lock != NULL; } diff --git a/deps/openssl/openssl/crypto/bio/b_sock.c b/deps/openssl/openssl/crypto/bio/b_sock.c index 97dcc7005e..fac1432787 100644 --- a/deps/openssl/openssl/crypto/bio/b_sock.c +++ b/deps/openssl/openssl/crypto/bio/b_sock.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -317,7 +317,7 @@ int BIO_socket_nbio(int s, int mode) l = fcntl(s, F_GETFL, 0); if (l == -1) { - SYSerr(SYS_F_FCNTL, get_last_rtl_error()); + SYSerr(SYS_F_FCNTL, get_last_sys_error()); ret = -1; } else { # if defined(O_NONBLOCK) @@ -335,7 +335,7 @@ int BIO_socket_nbio(int s, int mode) ret = fcntl(s, F_SETFL, l); if (ret < 0) { - SYSerr(SYS_F_FCNTL, get_last_rtl_error()); + SYSerr(SYS_F_FCNTL, get_last_sys_error()); } } # else diff --git a/deps/openssl/openssl/crypto/bio/bio_lcl.h b/deps/openssl/openssl/crypto/bio/bio_lcl.h index 5f4b94f40b..39178cf50a 100644 --- a/deps/openssl/openssl/crypto/bio/bio_lcl.h +++ b/deps/openssl/openssl/crypto/bio/bio_lcl.h @@ -185,3 +185,4 @@ void bio_sock_cleanup_int(void); # endif #endif + diff --git a/deps/openssl/openssl/crypto/bio/bio_meth.c b/deps/openssl/openssl/crypto/bio/bio_meth.c index 1e785d348f..63a7cccc82 100644 --- a/deps/openssl/openssl/crypto/bio/bio_meth.c +++ b/deps/openssl/openssl/crypto/bio/bio_meth.c @@ -43,6 +43,7 @@ BIO_METHOD *BIO_meth_new(int type, const char *name) BIOerr(BIO_F_BIO_METH_NEW, ERR_R_MALLOC_FAILURE); return NULL; } + biom->type = type; return biom; } @@ -54,7 +55,7 @@ void BIO_meth_free(BIO_METHOD *biom) } } -int (*BIO_meth_get_write(BIO_METHOD *biom)) (BIO *, const char *, int) +int (*BIO_meth_get_write(const BIO_METHOD *biom)) (BIO *, const char *, int) { return biom->bwrite; } @@ -66,7 +67,7 @@ int BIO_meth_set_write(BIO_METHOD *biom, return 1; } -int (*BIO_meth_get_read(BIO_METHOD *biom)) (BIO *, char *, int) +int (*BIO_meth_get_read(const BIO_METHOD *biom)) (BIO *, char *, int) { return biom->bread; } @@ -78,7 +79,7 @@ int BIO_meth_set_read(BIO_METHOD *biom, return 1; } -int (*BIO_meth_get_puts(BIO_METHOD *biom)) (BIO *, const char *) +int (*BIO_meth_get_puts(const BIO_METHOD *biom)) (BIO *, const char *) { return biom->bputs; } @@ -90,7 +91,7 @@ int BIO_meth_set_puts(BIO_METHOD *biom, return 1; } -int (*BIO_meth_get_gets(BIO_METHOD *biom)) (BIO *, char *, int) +int (*BIO_meth_get_gets(const BIO_METHOD *biom)) (BIO *, char *, int) { return biom->bgets; } @@ -102,7 +103,7 @@ int BIO_meth_set_gets(BIO_METHOD *biom, return 1; } -long (*BIO_meth_get_ctrl(BIO_METHOD *biom)) (BIO *, int, long, void *) +long (*BIO_meth_get_ctrl(const BIO_METHOD *biom)) (BIO *, int, long, void *) { return biom->ctrl; } @@ -114,7 +115,7 @@ int BIO_meth_set_ctrl(BIO_METHOD *biom, return 1; } -int (*BIO_meth_get_create(BIO_METHOD *biom)) (BIO *) +int (*BIO_meth_get_create(const BIO_METHOD *biom)) (BIO *) { return biom->create; } @@ -125,7 +126,7 @@ int BIO_meth_set_create(BIO_METHOD *biom, int (*create) (BIO *)) return 1; } -int (*BIO_meth_get_destroy(BIO_METHOD *biom)) (BIO *) +int (*BIO_meth_get_destroy(const BIO_METHOD *biom)) (BIO *) { return biom->destroy; } @@ -136,7 +137,7 @@ int BIO_meth_set_destroy(BIO_METHOD *biom, int (*destroy) (BIO *)) return 1; } -long (*BIO_meth_get_callback_ctrl(BIO_METHOD *biom)) (BIO *, int, BIO_info_cb *) +long (*BIO_meth_get_callback_ctrl(const BIO_METHOD *biom)) (BIO *, int, BIO_info_cb *) { return biom->callback_ctrl; } diff --git a/deps/openssl/openssl/crypto/bio/bss_log.c b/deps/openssl/openssl/crypto/bio/bss_log.c index 5221acc2e3..4719a5e66a 100644 --- a/deps/openssl/openssl/crypto/bio/bss_log.c +++ b/deps/openssl/openssl/crypto/bio/bss_log.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -196,7 +196,7 @@ static int slg_write(BIO *b, const char *in, int inl) if ((buf = OPENSSL_malloc(inl + 1)) == NULL) { return (0); } - strncpy(buf, in, inl); + memcpy(buf, in, inl); buf[inl] = '\0'; i = 0; diff --git a/deps/openssl/openssl/crypto/bio/bss_mem.c b/deps/openssl/openssl/crypto/bio/bss_mem.c index ff9a3ebb41..4c0e4d7412 100644 --- a/deps/openssl/openssl/crypto/bio/bss_mem.c +++ b/deps/openssl/openssl/crypto/bio/bss_mem.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -212,6 +212,8 @@ static int mem_write(BIO *b, const char *in, int inl) goto end; } BIO_clear_retry_flags(b); + if (inl == 0) + return 0; blen = bbm->readp->length; mem_buf_sync(b); if (BUF_MEM_grow_clean(bbm->buf, blen + inl) == 0) diff --git a/deps/openssl/openssl/crypto/bn/asm/alpha-mont.pl b/deps/openssl/openssl/crypto/bn/asm/alpha-mont.pl index 1d68d6d072..9632133090 100644 --- a/deps/openssl/openssl/crypto/bn/asm/alpha-mont.pl +++ b/deps/openssl/openssl/crypto/bn/asm/alpha-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -297,15 +297,12 @@ bn_mul_mont: mov sp,$tp mov $bp,$rp # restore rp - and sp,$hi0,$ap - bic $bp,$hi0,$bp - bis $bp,$ap,$ap # ap=borrow?tp:rp - .align 4 -.Lcopy: ldq $aj,0($ap) # copy or in-place refresh +.Lcopy: ldq $aj,0($tp) # conditional copy + ldq $nj,0($rp) lda $tp,8($tp) lda $rp,8($rp) - lda $ap,8($ap) + cmoveq $hi0,$nj,$aj stq zero,-8($tp) # zap tp cmpult $tp,$tj,AT stq $aj,-8($rp) diff --git a/deps/openssl/openssl/crypto/bn/asm/armv4-mont.pl b/deps/openssl/openssl/crypto/bn/asm/armv4-mont.pl index 0dc4fe95e4..ddee8b7fa1 100644 --- a/deps/openssl/openssl/crypto/bn/asm/armv4-mont.pl +++ b/deps/openssl/openssl/crypto/bn/asm/armv4-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -262,14 +262,15 @@ bn_mul_mont: mov $tp,sp @ "rewind" $tp sub $rp,$rp,$aj @ "rewind" $rp - and $ap,$tp,$nhi - bic $np,$rp,$nhi - orr $ap,$ap,$np @ ap=borrow?tp:rp - -.Lcopy: ldr $tj,[$ap],#4 @ copy or in-place refresh +.Lcopy: ldr $tj,[$tp] @ conditional copy + ldr $aj,[$rp] str sp,[$tp],#4 @ zap tp - str $tj,[$rp],#4 - cmp $tp,$num +#ifdef __thumb2__ + it cc +#endif + movcc $aj,$tj + str $aj,[$rp],#4 + teq $tp,$num @ preserve carry bne .Lcopy mov sp,$num diff --git a/deps/openssl/openssl/crypto/bn/asm/ia64-mont.pl b/deps/openssl/openssl/crypto/bn/asm/ia64-mont.pl index 5cc5c599f9..0df1fad115 100644 --- a/deps/openssl/openssl/crypto/bn/asm/ia64-mont.pl +++ b/deps/openssl/openssl/crypto/bn/asm/ia64-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2010-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -341,19 +341,19 @@ bn_mul_mont_general: { .mmb; sub rptr=rptr,len // rewind sub tptr=tptr,len clrrrb.pr };; -{ .mmi; and aptr=tptr,topbit - andcm bptr=rptr,topbit +{ .mmi; mov aptr=rptr + mov bptr=tptr mov pr.rot=1<<16 };; -{ .mii; or nptr=aptr,bptr +{ .mii; cmp.eq p0,p6=topbit,r0 mov ar.lc=lc - mov ar.ec=3 };; + mov ar.ec=2 };; .Lcopy_ctop: -{ .mmb; (p16) ld8 n[0]=[nptr],8 - (p18) st8 [tptr]=r0,8 - (p16) nop.b 0 } -{ .mmb; (p16) nop.m 0 - (p18) st8 [rptr]=n[2],8 +{ .mmi; (p16) ld8 a[0]=[aptr],8 + (p16) ld8 t[0]=[bptr],8 + (p6) mov a[1]=t[1] };; // (p17) +{ .mmb; (p17) st8 [rptr]=a[1],8 + (p17) st8 [tptr]=r0,8 br.ctop.sptk .Lcopy_ctop };; .Lcopy_cend: diff --git a/deps/openssl/openssl/crypto/bn/asm/mips-mont.pl b/deps/openssl/openssl/crypto/bn/asm/mips-mont.pl index a907571bec..e141e1a925 100644 --- a/deps/openssl/openssl/crypto/bn/asm/mips-mont.pl +++ b/deps/openssl/openssl/crypto/bn/asm/mips-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2010-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -384,15 +384,13 @@ $code.=<<___; $PTR_SUB $rp,$num # restore rp not $hi1,$hi0 - and $ap,$hi0,$sp - and $bp,$hi1,$rp - or $ap,$ap,$bp # ap=borrow?tp:rp - -.align 4 -.Lcopy: $LD $aj,($ap) - $PTR_ADD $ap,$BNSZ +.Lcopy: $LD $nj,($tp) # conditional move + $LD $aj,($rp) $ST $zero,($tp) $PTR_ADD $tp,$BNSZ + and $nj,$hi0 + and $aj,$hi1 + or $aj,$nj sltu $at,$tp,$tj $ST $aj,($rp) bnez $at,.Lcopy diff --git a/deps/openssl/openssl/crypto/bn/asm/parisc-mont.pl b/deps/openssl/openssl/crypto/bn/asm/parisc-mont.pl index 8aa94e8511..cd9926a25f 100644 --- a/deps/openssl/openssl/crypto/bn/asm/parisc-mont.pl +++ b/deps/openssl/openssl/crypto/bn/asm/parisc-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2009-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2009-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -517,7 +517,6 @@ L\$sub stws,ma $hi1,4($rp) subb $ti0,%r0,$hi1 - ldo -4($tp),$tp ___ $code.=<<___ if ($BN_SZ==8); ldd,ma 8($tp),$ti0 @@ -532,21 +531,19 @@ L\$sub extrd,u $ti0,31,32,$ti0 ; carry in flipped word order sub,db $ti0,%r0,$hi1 - ldo -8($tp),$tp ___ $code.=<<___; - and $tp,$hi1,$ap - andcm $rp,$hi1,$bp - or $ap,$bp,$np - + ldo `$LOCALS+32`($fp),$tp sub $rp,$arrsz,$rp ; rewind rp subi 0,$arrsz,$idx - ldo `$LOCALS+32`($fp),$tp L\$copy - ldd $idx($np),$hi0 + ldd 0($tp),$ti0 + ldd 0($rp),$hi0 std,ma %r0,8($tp) - addib,<> 8,$idx,.-8 ; L\$copy - std,ma $hi0,8($rp) + comiclr,= 0,$hi1,%r0 + copy $ti0,$hi0 + addib,<> 8,$idx,L\$copy + std,ma $hi0,8($rp) ___ if ($BN_SZ==4) { # PA-RISC 1.1 code-path @@ -856,17 +853,16 @@ L\$sub_pa11 stws,ma $hi1,4($rp) subb $ti0,%r0,$hi1 - ldo -4($tp),$tp - and $tp,$hi1,$ap - andcm $rp,$hi1,$bp - or $ap,$bp,$np + ldo `$LOCALS+32`($fp),$tp sub $rp,$arrsz,$rp ; rewind rp subi 0,$arrsz,$idx - ldo `$LOCALS+32`($fp),$tp L\$copy_pa11 - ldwx $idx($np),$hi0 + ldw 0($tp),$ti0 + ldw 0($rp),$hi0 stws,ma %r0,4($tp) + comiclr,= 0,$hi1,%r0 + copy $ti0,$hi0 addib,<> 4,$idx,L\$copy_pa11 stws,ma $hi0,4($rp) diff --git a/deps/openssl/openssl/crypto/bn/asm/ppc-mont.pl b/deps/openssl/openssl/crypto/bn/asm/ppc-mont.pl index 5802260ca6..9d14a12156 100644 --- a/deps/openssl/openssl/crypto/bn/asm/ppc-mont.pl +++ b/deps/openssl/openssl/crypto/bn/asm/ppc-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -301,15 +301,16 @@ Lsub: $LDX $tj,$tp,$j li $j,0 mtctr $num subfe $ovf,$j,$ovf ; handle upmost overflow bit - and $ap,$tp,$ovf - andc $np,$rp,$ovf - or $ap,$ap,$np ; ap=borrow?tp:rp .align 4 -Lcopy: ; copy or in-place refresh - $LDX $tj,$ap,$j - $STX $tj,$rp,$j +Lcopy: ; conditional copy + $LDX $tj,$tp,$j + $LDX $aj,$rp,$j + and $tj,$tj,$ovf + andc $aj,$aj,$ovf $STX $j,$tp,$j ; zap at once + or $aj,$aj,$tj + $STX $aj,$rp,$j addi $j,$j,$BNSZ bdnz Lcopy diff --git a/deps/openssl/openssl/crypto/bn/asm/ppc64-mont.pl b/deps/openssl/openssl/crypto/bn/asm/ppc64-mont.pl index 1e19c958a1..5d9f43aa5d 100644 --- a/deps/openssl/openssl/crypto/bn/asm/ppc64-mont.pl +++ b/deps/openssl/openssl/crypto/bn/asm/ppc64-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -1501,16 +1501,14 @@ Lsub: ldx $t0,$tp,$i li $i,0 subfe $ovf,$i,$ovf ; handle upmost overflow bit - and $ap,$tp,$ovf - andc $np,$rp,$ovf - or $ap,$ap,$np ; ap=borrow?tp:rp - addi $t7,$ap,8 mtctr $j .align 4 -Lcopy: ; copy or in-place refresh - ldx $t0,$ap,$i - ldx $t1,$t7,$i +Lcopy: ; conditional copy + ldx $t0,$tp,$i + ldx $t1,$t4,$i + ldx $t2,$rp,$i + ldx $t3,$t6,$i std $i,8($nap_d) ; zap nap_d std $i,16($nap_d) std $i,24($nap_d) @@ -1519,6 +1517,12 @@ Lcopy: ; copy or in-place refresh std $i,48($nap_d) std $i,56($nap_d) stdu $i,64($nap_d) + and $t0,$t0,$ovf + and $t1,$t1,$ovf + andc $t2,$t2,$ovf + andc $t3,$t3,$ovf + or $t0,$t0,$t2 + or $t1,$t1,$t3 stdx $t0,$rp,$i stdx $t1,$t6,$i stdx $i,$tp,$i ; zap tp at once @@ -1561,20 +1565,21 @@ Lsub: lwz $t0,12($tp) ; load tp[j..j+3] in 64-bit word order li $i,0 subfe $ovf,$i,$ovf ; handle upmost overflow bit - addi $tp,$sp,`$FRAME+$TRANSFER+4` + addi $ap,$sp,`$FRAME+$TRANSFER+4` subf $rp,$num,$rp ; rewind rp - and $ap,$tp,$ovf - andc $np,$rp,$ovf - or $ap,$ap,$np ; ap=borrow?tp:rp addi $tp,$sp,`$FRAME+$TRANSFER` mtctr $j .align 4 -Lcopy: ; copy or in-place refresh +Lcopy: ; conditional copy lwz $t0,4($ap) lwz $t1,8($ap) lwz $t2,12($ap) lwzu $t3,16($ap) + lwz $t4,4($rp) + lwz $t5,8($rp) + lwz $t6,12($rp) + lwz $t7,16($rp) std $i,8($nap_d) ; zap nap_d std $i,16($nap_d) std $i,24($nap_d) @@ -1583,6 +1588,18 @@ Lcopy: ; copy or in-place refresh std $i,48($nap_d) std $i,56($nap_d) stdu $i,64($nap_d) + and $t0,$t0,$ovf + and $t1,$t1,$ovf + and $t2,$t2,$ovf + and $t3,$t3,$ovf + andc $t4,$t4,$ovf + andc $t5,$t5,$ovf + andc $t6,$t6,$ovf + andc $t7,$t7,$ovf + or $t0,$t0,$t4 + or $t1,$t1,$t5 + or $t2,$t2,$t6 + or $t3,$t3,$t7 stw $t0,4($rp) stw $t1,8($rp) stw $t2,12($rp) diff --git a/deps/openssl/openssl/crypto/bn/asm/rsaz-avx2.pl b/deps/openssl/openssl/crypto/bn/asm/rsaz-avx2.pl index 46d746b7d0..0466e11a25 100755 --- a/deps/openssl/openssl/crypto/bn/asm/rsaz-avx2.pl +++ b/deps/openssl/openssl/crypto/bn/asm/rsaz-avx2.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2013-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -104,7 +104,7 @@ if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $addx = ($1>=11); } -if (!$avx && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9])\.([0-9]+)/) { +if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9])\.([0-9]+)/) { my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10 $avx = ($ver>=3.0) + ($ver>=3.01); $addx = ($ver>=3.03); diff --git a/deps/openssl/openssl/crypto/bn/asm/s390x-mont.pl b/deps/openssl/openssl/crypto/bn/asm/s390x-mont.pl index 2205bc2ca0..66780cdf80 100644 --- a/deps/openssl/openssl/crypto/bn/asm/s390x-mont.pl +++ b/deps/openssl/openssl/crypto/bn/asm/s390x-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -252,16 +252,16 @@ $code.=<<___; brct $count,.Lsub lghi $ahi,0 slbgr $AHI,$ahi # handle upmost carry - - ngr $ap,$AHI - lghi $np,-1 - xgr $np,$AHI - ngr $np,$rp - ogr $ap,$np # ap=borrow?tp:rp + lghi $NHI,-1 + xgr $NHI,$AHI la $j,0(%r0) lgr $count,$num -.Lcopy: lg $alo,0($j,$ap) # copy or in-place refresh +.Lcopy: lg $ahi,$stdframe($j,$sp) # conditional copy + lg $alo,0($j,$rp) + ngr $ahi,$AHI + ngr $alo,$NHI + ogr $alo,$ahi _dswap $alo stg $j,$stdframe($j,$sp) # zap tp stg $alo,0($j,$rp) diff --git a/deps/openssl/openssl/crypto/bn/asm/sparct4-mont.pl b/deps/openssl/openssl/crypto/bn/asm/sparct4-mont.pl index 4faf66f10a..4f339b2279 100755 --- a/deps/openssl/openssl/crypto/bn/asm/sparct4-mont.pl +++ b/deps/openssl/openssl/crypto/bn/asm/sparct4-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -888,19 +888,17 @@ $code.=<<___; sub $tp, $num, $tp sub $rp, $num, $rp - subc $ovf, %g0, $ovf ! handle upmost overflow bit - and $tp, $ovf, $ap - andn $rp, $ovf, $np - or $np, $ap, $ap ! ap=borrow?tp:rp + subccc $ovf, %g0, $ovf ! handle upmost overflow bit ba .Lcopy sub $num, 8, $cnt .align 16 -.Lcopy: ! copy or in-place refresh - ldx [$ap+0], $t2 - add $ap, 8, $ap +.Lcopy: ! conditional copy + ldx [$tp], $tj + ldx [$rp+0], $t2 stx %g0, [$tp] ! zap add $tp, 8, $tp + movcs %icc, $tj, $t2 stx $t2, [$rp+0] add $rp, 8, $rp brnz $cnt, .Lcopy @@ -1136,19 +1134,17 @@ $code.=<<___; sub $tp, $num, $tp sub $rp, $num, $rp - subc $ovf, %g0, $ovf ! handle upmost overflow bit - and $tp, $ovf, $ap - andn $rp, $ovf, $np - or $np, $ap, $ap ! ap=borrow?tp:rp + subccc $ovf, %g0, $ovf ! handle upmost overflow bit ba .Lcopy_g5 sub $num, 8, $cnt .align 16 -.Lcopy_g5: ! copy or in-place refresh - ldx [$ap+0], $t2 - add $ap, 8, $ap +.Lcopy_g5: ! conditional copy + ldx [$tp], $tj + ldx [$rp+0], $t2 stx %g0, [$tp] ! zap add $tp, 8, $tp + movcs %icc, $tj, $t2 stx $t2, [$rp+0] add $rp, 8, $rp brnz $cnt, .Lcopy_g5 diff --git a/deps/openssl/openssl/crypto/bn/asm/sparcv9-mont.pl b/deps/openssl/openssl/crypto/bn/asm/sparcv9-mont.pl index 6807c8b6e0..074f9df14b 100644 --- a/deps/openssl/openssl/crypto/bn/asm/sparcv9-mont.pl +++ b/deps/openssl/openssl/crypto/bn/asm/sparcv9-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -265,7 +265,6 @@ $fname: .Ltail: add $np,$num,$np add $rp,$num,$rp - mov $tp,$ap sub %g0,$num,%o7 ! k=-num ba .Lsub subcc %g0,%g0,%g0 ! clear %icc.c @@ -278,15 +277,14 @@ $fname: add %o7,4,%o7 brnz %o7,.Lsub st %o1,[$i] - subc $car2,0,$car2 ! handle upmost overflow bit - and $tp,$car2,$ap - andn $rp,$car2,$np - or $ap,$np,$ap + subccc $car2,0,$car2 ! handle upmost overflow bit sub %g0,$num,%o7 .Lcopy: - ld [$ap+%o7],%o0 ! copy or in-place refresh + ld [$tp+%o7],%o1 ! conditional copy + ld [$rp+%o7],%o0 st %g0,[$tp+%o7] ! zap tp + movcs %icc,%o1,%o0 st %o0,[$rp+%o7] add %o7,4,%o7 brnz %o7,.Lcopy @@ -495,6 +493,9 @@ $code.=<<___; mulx $npj,$mul1,$acc1 add $tpj,$car1,$car1 ld [$np+$j],$npj ! np[j] + srlx $car1,32,$tmp0 + and $car1,$mask,$car1 + add $tmp0,$sbit,$sbit add $acc0,$car1,$car1 ld [$tp+8],$tpj ! tp[j] add $acc1,$car1,$car1 diff --git a/deps/openssl/openssl/crypto/bn/asm/via-mont.pl b/deps/openssl/openssl/crypto/bn/asm/via-mont.pl index 9f81bc822e..9d65a146a2 100644 --- a/deps/openssl/openssl/crypto/bn/asm/via-mont.pl +++ b/deps/openssl/openssl/crypto/bn/asm/via-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -213,18 +213,15 @@ $sp=&DWP(28,"esp"); &mov ("eax",&DWP(0,"esi","edx",4)); # upmost overflow bit &sbb ("eax",0); - &and ("esi","eax"); - ¬ ("eax"); - &mov ("ebp","edi"); - &and ("ebp","eax"); - &or ("esi","ebp"); # tp=carry?tp:rp &mov ("ecx","edx"); # num - &xor ("edx","edx"); # i=0 + &mov ("edx",0); # i=0 &set_label("copy",8); - &mov ("eax",&DWP(0,"esi","edx",4)); - &mov (&DWP(64,"esp","edx",4),"ecx"); # zap tp + &mov ("ebx",&DWP(0,"esi","edx",4)); + &mov ("eax",&DWP(0,"edi","edx",4)); + &mov (&DWP(0,"esi","edx",4),"ecx"); # zap tp + &cmovc ("eax","ebx"); &mov (&DWP(0,"edi","edx",4),"eax"); &lea ("edx",&DWP(1,"edx")); # i++ &loop (&label("copy")); diff --git a/deps/openssl/openssl/crypto/bn/asm/vis3-mont.pl b/deps/openssl/openssl/crypto/bn/asm/vis3-mont.pl index 64dba4480f..ba34b36a81 100644 --- a/deps/openssl/openssl/crypto/bn/asm/vis3-mont.pl +++ b/deps/openssl/openssl/crypto/bn/asm/vis3-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -310,23 +310,23 @@ $code.=<<___; sub $anp, $num, $anp sub $rp, $num, $rp - subc $ovf, %g0, $ovf ! handle upmost overflow bit - and $tp, $ovf, $ap - andn $rp, $ovf, $np - or $np, $ap, $ap ! ap=borrow?tp:rp + subccc $ovf, %g0, $ovf ! handle upmost overflow bit ba .Lcopy sub $num, 8, $cnt .align 16 -.Lcopy: ! copy or in-place refresh - ld [$ap+0], $t2 - ld [$ap+4], $t3 - add $ap, 8, $ap +.Lcopy: ! conditional copy + ld [$tp+0], $t0 + ld [$tp+4], $t1 + ld [$rp+0], $t2 + ld [$rp+4], $t3 stx %g0, [$tp] ! zap add $tp, 8, $tp stx %g0, [$anp] ! zap stx %g0, [$anp+8] add $anp, 16, $anp + movcs %icc, $t0, $t2 + movcs %icc, $t1, $t3 st $t3, [$rp+0] ! flip order st $t2, [$rp+4] add $rp, 8, $rp diff --git a/deps/openssl/openssl/crypto/bn/asm/x86-mont.pl b/deps/openssl/openssl/crypto/bn/asm/x86-mont.pl index a8b402d59b..f1abcc5b4c 100755 --- a/deps/openssl/openssl/crypto/bn/asm/x86-mont.pl +++ b/deps/openssl/openssl/crypto/bn/asm/x86-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -39,7 +39,7 @@ require "x86asm.pl"; $output = pop; open STDOUT,">$output"; - + &asm_init($ARGV[0],$0); $sse2=0; @@ -604,16 +604,18 @@ $sbit=$num; &jge (&label("sub")); &sbb ("eax",0); # handle upmost overflow bit - &and ($tp,"eax"); - ¬ ("eax"); - &mov ($np,$rp); - &and ($np,"eax"); - &or ($tp,$np); # tp=carry?tp:rp - -&set_label("copy",16); # copy or in-place refresh - &mov ("eax",&DWP(0,$tp,$num,4)); - &mov (&DWP(0,$rp,$num,4),"eax"); # rp[i]=tp[i] + &mov ("edx",-1); + &xor ("edx","eax"); + &jmp (&label("copy")); + +&set_label("copy",16); # conditional copy + &mov ($tp,&DWP($frame,"esp",$num,4)); + &mov ($np,&DWP(0,$rp,$num,4)); &mov (&DWP($frame,"esp",$num,4),$j); # zap temporary vector + &and ($tp,"eax"); + &and ($np,"edx"); + &or ($np,$tp); + &mov (&DWP(0,$rp,$num,4),$np); &dec ($num); &jge (&label("copy")); diff --git a/deps/openssl/openssl/crypto/bn/asm/x86_64-mont.pl b/deps/openssl/openssl/crypto/bn/asm/x86_64-mont.pl index df4cca5bfe..8d2fb2cebb 100755 --- a/deps/openssl/openssl/crypto/bn/asm/x86_64-mont.pl +++ b/deps/openssl/openssl/crypto/bn/asm/x86_64-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -302,30 +302,30 @@ $code.=<<___; xor $i,$i # i=0 and clear CF! mov (%rsp),%rax # tp[0] - lea (%rsp),$ap # borrow ap for tp mov $num,$j # j=num - jmp .Lsub + .align 16 .Lsub: sbb ($np,$i,8),%rax mov %rax,($rp,$i,8) # rp[i]=tp[i]-np[i] - mov 8($ap,$i,8),%rax # tp[i+1] + mov 8(%rsp,$i,8),%rax # tp[i+1] lea 1($i),$i # i++ dec $j # doesnn't affect CF! jnz .Lsub sbb \$0,%rax # handle upmost overflow bit + mov \$-1,%rbx + xor %rax,%rbx # not %rax xor $i,$i - and %rax,$ap - not %rax - mov $rp,$np - and %rax,$np mov $num,$j # j=num - or $np,$ap # ap=borrow?tp:rp -.align 16 -.Lcopy: # copy or in-place refresh - mov ($ap,$i,8),%rax - mov $i,(%rsp,$i,8) # zap temporary vector - mov %rax,($rp,$i,8) # rp[i]=tp[i] + +.Lcopy: # conditional copy + mov ($rp,$i,8),%rcx + mov (%rsp,$i,8),%rdx + and %rbx,%rcx + and %rax,%rdx + mov $num,(%rsp,$i,8) # zap temporary vector + or %rcx,%rdx + mov %rdx,($rp,$i,8) # rp[i]=tp[i] lea 1($i),$i sub \$1,$j jnz .Lcopy @@ -695,10 +695,10 @@ ___ my @ri=("%rax","%rdx",$m0,$m1); $code.=<<___; mov 16(%rsp,$num,8),$rp # restore $rp + lea -4($num),$j mov 0(%rsp),@ri[0] # tp[0] - pxor %xmm0,%xmm0 mov 8(%rsp),@ri[1] # tp[1] - shr \$2,$num # num/=4 + shr \$2,$j # j=num/4-1 lea (%rsp),$ap # borrow ap for tp xor $i,$i # i=0 and clear CF! @@ -706,9 +706,7 @@ $code.=<<___; mov 16($ap),@ri[2] # tp[2] mov 24($ap),@ri[3] # tp[3] sbb 8($np),@ri[1] - lea -1($num),$j # j=num/4-1 - jmp .Lsub4x -.align 16 + .Lsub4x: mov @ri[0],0($rp,$i,8) # rp[i]=tp[i]-np[i] mov @ri[1],8($rp,$i,8) # rp[i]=tp[i]-np[i] @@ -735,34 +733,35 @@ $code.=<<___; sbb \$0,@ri[0] # handle upmost overflow bit mov @ri[3],24($rp,$i,8) # rp[i]=tp[i]-np[i] - xor $i,$i # i=0 - and @ri[0],$ap - not @ri[0] - mov $rp,$np - and @ri[0],$np - lea -1($num),$j - or $np,$ap # ap=borrow?tp:rp - - movdqu ($ap),%xmm1 - movdqa %xmm0,(%rsp) - movdqu %xmm1,($rp) + pxor %xmm0,%xmm0 + movq @ri[0],%xmm4 + pcmpeqd %xmm5,%xmm5 + pshufd \$0,%xmm4,%xmm4 + mov $num,$j + pxor %xmm4,%xmm5 + shr \$2,$j # j=num/4 + xor %eax,%eax # i=0 + jmp .Lcopy4x .align 16 -.Lcopy4x: # copy or in-place refresh - movdqu 16($ap,$i),%xmm2 - movdqu 32($ap,$i),%xmm1 - movdqa %xmm0,16(%rsp,$i) - movdqu %xmm2,16($rp,$i) - movdqa %xmm0,32(%rsp,$i) - movdqu %xmm1,32($rp,$i) - lea 32($i),$i +.Lcopy4x: # conditional copy + movdqa (%rsp,%rax),%xmm1 + movdqu ($rp,%rax),%xmm2 + pand %xmm4,%xmm1 + pand %xmm5,%xmm2 + movdqa 16(%rsp,%rax),%xmm3 + movdqa %xmm0,(%rsp,%rax) + por %xmm2,%xmm1 + movdqu 16($rp,%rax),%xmm2 + movdqu %xmm1,($rp,%rax) + pand %xmm4,%xmm3 + pand %xmm5,%xmm2 + movdqa %xmm0,16(%rsp,%rax) + por %xmm2,%xmm3 + movdqu %xmm3,16($rp,%rax) + lea 32(%rax),%rax dec $j jnz .Lcopy4x - - shl \$2,$num - movdqu 16($ap,$i),%xmm2 - movdqa %xmm0,16(%rsp,$i) - movdqu %xmm2,16($rp,$i) ___ } $code.=<<___; diff --git a/deps/openssl/openssl/crypto/bn/asm/x86_64-mont5.pl b/deps/openssl/openssl/crypto/bn/asm/x86_64-mont5.pl index 5779059ea2..97d8eee700 100755 --- a/deps/openssl/openssl/crypto/bn/asm/x86_64-mont5.pl +++ b/deps/openssl/openssl/crypto/bn/asm/x86_64-mont5.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -414,18 +414,19 @@ $code.=<<___; jnz .Lsub sbb \$0,%rax # handle upmost overflow bit + mov \$-1,%rbx + xor %rax,%rbx xor $i,$i - and %rax,$ap - not %rax - mov $rp,$np - and %rax,$np mov $num,$j # j=num - or $np,$ap # ap=borrow?tp:rp -.align 16 -.Lcopy: # copy or in-place refresh - mov ($ap,$i,8),%rax + +.Lcopy: # conditional copy + mov ($rp,$i,8),%rcx + mov (%rsp,$i,8),%rdx + and %rbx,%rcx + and %rax,%rdx mov $i,(%rsp,$i,8) # zap temporary vector - mov %rax,($rp,$i,8) # rp[i]=tp[i] + or %rcx,%rdx + mov %rdx,($rp,$i,8) # rp[i]=tp[i] lea 1($i),$i sub \$1,$j jnz .Lcopy diff --git a/deps/openssl/openssl/crypto/bn/bn_div.c b/deps/openssl/openssl/crypto/bn/bn_div.c index 5e620b2096..884ff29917 100644 --- a/deps/openssl/openssl/crypto/bn/bn_div.c +++ b/deps/openssl/openssl/crypto/bn/bn_div.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -240,6 +240,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, wnum.neg = 0; wnum.d = &(snum->d[loop]); wnum.top = div_n; + wnum.flags = BN_FLG_STATIC_DATA; /* * only needed when BN_ucmp messes up the values between top and max */ diff --git a/deps/openssl/openssl/crypto/bn/bn_exp.c b/deps/openssl/openssl/crypto/bn/bn_exp.c index 0d2d1eca6b..a6ad475a0b 100644 --- a/deps/openssl/openssl/crypto/bn/bn_exp.c +++ b/deps/openssl/openssl/crypto/bn/bn_exp.c @@ -188,8 +188,8 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, bits = BN_num_bits(p); if (bits == 0) { - /* x**0 mod 1 is still zero. */ - if (BN_is_one(m)) { + /* x**0 mod 1, or x**0 mod -1 is still zero. */ + if (BN_abs_is_word(m, 1)) { ret = 1; BN_zero(r); } else { @@ -330,8 +330,8 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, } bits = BN_num_bits(p); if (bits == 0) { - /* x**0 mod 1 is still zero. */ - if (BN_is_one(m)) { + /* x**0 mod 1, or x**0 mod -1 is still zero. */ + if (BN_abs_is_word(m, 1)) { ret = 1; BN_zero(rr); } else { @@ -371,17 +371,17 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ret = 1; goto err; } - if (!BN_to_montgomery(val[0], aa, mont, ctx)) + if (!bn_to_mont_fixed_top(val[0], aa, mont, ctx)) goto err; /* 1 */ window = BN_window_bits_for_exponent_size(bits); if (window > 1) { - if (!BN_mod_mul_montgomery(d, val[0], val[0], mont, ctx)) + if (!bn_mul_mont_fixed_top(d, val[0], val[0], mont, ctx)) goto err; /* 2 */ j = 1 << (window - 1); for (i = 1; i < j; i++) { if (((val[i] = BN_CTX_get(ctx)) == NULL) || - !BN_mod_mul_montgomery(val[i], val[i - 1], d, mont, ctx)) + !bn_mul_mont_fixed_top(val[i], val[i - 1], d, mont, ctx)) goto err; } } @@ -403,19 +403,15 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, for (i = 1; i < j; i++) r->d[i] = (~m->d[i]) & BN_MASK2; r->top = j; - /* - * Upper words will be zero if the corresponding words of 'm' were - * 0xfff[...], so decrement r->top accordingly. - */ - bn_correct_top(r); + r->flags |= BN_FLG_FIXED_TOP; } else #endif - if (!BN_to_montgomery(r, BN_value_one(), mont, ctx)) + if (!bn_to_mont_fixed_top(r, BN_value_one(), mont, ctx)) goto err; for (;;) { if (BN_is_bit_set(p, wstart) == 0) { if (!start) { - if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) + if (!bn_mul_mont_fixed_top(r, r, r, mont, ctx)) goto err; } if (wstart == 0) @@ -446,12 +442,12 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, /* add the 'bytes above' */ if (!start) for (i = 0; i < j; i++) { - if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) + if (!bn_mul_mont_fixed_top(r, r, r, mont, ctx)) goto err; } /* wvalue will be an odd number < 2^window */ - if (!BN_mod_mul_montgomery(r, r, val[wvalue >> 1], mont, ctx)) + if (!bn_mul_mont_fixed_top(r, r, val[wvalue >> 1], mont, ctx)) goto err; /* move the 'window' down further */ @@ -461,6 +457,11 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, if (wstart < 0) break; } + /* + * Done with zero-padded intermediate BIGNUMs. Final BN_from_montgomery + * removes padding [if any] and makes return value suitable for public + * API consumer. + */ #if defined(SPARC_T4_MONT) if (OPENSSL_sparcv9cap_P[0] & (SPARCV9_VIS3 | SPARCV9_PREFER_FPU)) { j = mont->N.top; /* borrow j */ @@ -587,7 +588,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, } b->top = top; - bn_correct_top(b); + b->flags |= BN_FLG_FIXED_TOP; return 1; } @@ -639,8 +640,8 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, */ bits = p->top * BN_BITS2; if (bits == 0) { - /* x**0 mod 1 is still zero. */ - if (BN_is_one(m)) { + /* x**0 mod 1, or x**0 mod -1 is still zero. */ + if (BN_abs_is_word(m, 1)) { ret = 1; BN_zero(rr); } else { @@ -757,16 +758,16 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, tmp.top = top; } else #endif - if (!BN_to_montgomery(&tmp, BN_value_one(), mont, ctx)) + if (!bn_to_mont_fixed_top(&tmp, BN_value_one(), mont, ctx)) goto err; /* prepare a^1 in Montgomery domain */ if (a->neg || BN_ucmp(a, m) >= 0) { if (!BN_mod(&am, a, m, ctx)) goto err; - if (!BN_to_montgomery(&am, &am, mont, ctx)) + if (!bn_to_mont_fixed_top(&am, &am, mont, ctx)) goto err; - } else if (!BN_to_montgomery(&am, a, mont, ctx)) + } else if (!bn_to_mont_fixed_top(&am, a, mont, ctx)) goto err; #if defined(SPARC_T4_MONT) @@ -1033,14 +1034,14 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, * performance advantage of sqr over mul). */ if (window > 1) { - if (!BN_mod_mul_montgomery(&tmp, &am, &am, mont, ctx)) + if (!bn_mul_mont_fixed_top(&tmp, &am, &am, mont, ctx)) goto err; if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 2, window)) goto err; for (i = 3; i < numPowers; i++) { /* Calculate a^i = a^(i-1) * a */ - if (!BN_mod_mul_montgomery(&tmp, &am, &tmp, mont, ctx)) + if (!bn_mul_mont_fixed_top(&tmp, &am, &tmp, mont, ctx)) goto err; if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, i, window)) @@ -1064,7 +1065,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, /* Scan the window, squaring the result as we go */ for (i = 0; i < window; i++, bits--) { - if (!BN_mod_mul_montgomery(&tmp, &tmp, &tmp, mont, ctx)) + if (!bn_mul_mont_fixed_top(&tmp, &tmp, &tmp, mont, ctx)) goto err; wvalue = (wvalue << 1) + BN_is_bit_set(p, bits); } @@ -1077,12 +1078,16 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, goto err; /* Multiply the result into the intermediate result */ - if (!BN_mod_mul_montgomery(&tmp, &tmp, &am, mont, ctx)) + if (!bn_mul_mont_fixed_top(&tmp, &tmp, &am, mont, ctx)) goto err; } } - /* Convert the final result from montgomery to standard format */ + /* + * Done with zero-padded intermediate BIGNUMs. Final BN_from_montgomery + * removes padding [if any] and makes return value suitable for public + * API consumer. + */ #if defined(SPARC_T4_MONT) if (OPENSSL_sparcv9cap_P[0] & (SPARCV9_VIS3 | SPARCV9_PREFER_FPU)) { am.d[0] = 1; /* borrow am */ @@ -1151,8 +1156,8 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, bits = BN_num_bits(p); if (bits == 0) { - /* x**0 mod 1 is still zero. */ - if (BN_is_one(m)) { + /* x**0 mod 1, or x**0 mod -1 is still zero. */ + if (BN_abs_is_word(m, 1)) { ret = 1; BN_zero(rr); } else { @@ -1273,9 +1278,9 @@ int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, } bits = BN_num_bits(p); - if (bits == 0) { - /* x**0 mod 1 is still zero. */ - if (BN_is_one(m)) { + if (bits == 0) { + /* x**0 mod 1, or x**0 mod -1 is still zero. */ + if (BN_abs_is_word(m, 1)) { ret = 1; BN_zero(r); } else { diff --git a/deps/openssl/openssl/crypto/bn/bn_gcd.c b/deps/openssl/openssl/crypto/bn/bn_gcd.c index 067642644e..bed231c8fa 100644 --- a/deps/openssl/openssl/crypto/bn/bn_gcd.c +++ b/deps/openssl/openssl/crypto/bn/bn_gcd.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -140,7 +140,14 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in, BIGNUM *ret = NULL; int sign; - if (pnoinv) + /* This is invalid input so we don't worry about constant time here */ + if (BN_abs_is_word(n, 1) || BN_is_zero(n)) { + if (pnoinv != NULL) + *pnoinv = 1; + return NULL; + } + + if (pnoinv != NULL) *pnoinv = 0; if ((BN_get_flags(a, BN_FLG_CONSTTIME) != 0) diff --git a/deps/openssl/openssl/crypto/bn/bn_gf2m.c b/deps/openssl/openssl/crypto/bn/bn_gf2m.c index b1987f55dd..d80f3ec940 100644 --- a/deps/openssl/openssl/crypto/bn/bn_gf2m.c +++ b/deps/openssl/openssl/crypto/bn/bn_gf2m.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -32,30 +32,32 @@ */ # define MAX_ITERATIONS 50 -static const BN_ULONG SQR_tb[16] = { 0, 1, 4, 5, 16, 17, 20, 21, - 64, 65, 68, 69, 80, 81, 84, 85 -}; +# define SQR_nibble(w) ((((w) & 8) << 3) \ + | (((w) & 4) << 2) \ + | (((w) & 2) << 1) \ + | ((w) & 1)) + /* Platform-specific macros to accelerate squaring. */ # if defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG) # define SQR1(w) \ - SQR_tb[(w) >> 60 & 0xF] << 56 | SQR_tb[(w) >> 56 & 0xF] << 48 | \ - SQR_tb[(w) >> 52 & 0xF] << 40 | SQR_tb[(w) >> 48 & 0xF] << 32 | \ - SQR_tb[(w) >> 44 & 0xF] << 24 | SQR_tb[(w) >> 40 & 0xF] << 16 | \ - SQR_tb[(w) >> 36 & 0xF] << 8 | SQR_tb[(w) >> 32 & 0xF] + SQR_nibble((w) >> 60) << 56 | SQR_nibble((w) >> 56) << 48 | \ + SQR_nibble((w) >> 52) << 40 | SQR_nibble((w) >> 48) << 32 | \ + SQR_nibble((w) >> 44) << 24 | SQR_nibble((w) >> 40) << 16 | \ + SQR_nibble((w) >> 36) << 8 | SQR_nibble((w) >> 32) # define SQR0(w) \ - SQR_tb[(w) >> 28 & 0xF] << 56 | SQR_tb[(w) >> 24 & 0xF] << 48 | \ - SQR_tb[(w) >> 20 & 0xF] << 40 | SQR_tb[(w) >> 16 & 0xF] << 32 | \ - SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \ - SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF] + SQR_nibble((w) >> 28) << 56 | SQR_nibble((w) >> 24) << 48 | \ + SQR_nibble((w) >> 20) << 40 | SQR_nibble((w) >> 16) << 32 | \ + SQR_nibble((w) >> 12) << 24 | SQR_nibble((w) >> 8) << 16 | \ + SQR_nibble((w) >> 4) << 8 | SQR_nibble((w) ) # endif # ifdef THIRTY_TWO_BIT # define SQR1(w) \ - SQR_tb[(w) >> 28 & 0xF] << 24 | SQR_tb[(w) >> 24 & 0xF] << 16 | \ - SQR_tb[(w) >> 20 & 0xF] << 8 | SQR_tb[(w) >> 16 & 0xF] + SQR_nibble((w) >> 28) << 24 | SQR_nibble((w) >> 24) << 16 | \ + SQR_nibble((w) >> 20) << 8 | SQR_nibble((w) >> 16) # define SQR0(w) \ - SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \ - SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF] + SQR_nibble((w) >> 12) << 24 | SQR_nibble((w) >> 8) << 16 | \ + SQR_nibble((w) >> 4) << 8 | SQR_nibble((w) ) # endif # if !defined(OPENSSL_BN_ASM_GF2m) diff --git a/deps/openssl/openssl/crypto/bn/bn_intern.c b/deps/openssl/openssl/crypto/bn/bn_intern.c index 2c970647de..7b25927f9b 100644 --- a/deps/openssl/openssl/crypto/bn/bn_intern.c +++ b/deps/openssl/openssl/crypto/bn/bn_intern.c @@ -1,5 +1,5 @@ /* - * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -177,16 +177,20 @@ BN_ULONG *bn_get_words(const BIGNUM *a) return a->d; } -void bn_set_static_words(BIGNUM *a, BN_ULONG *words, int size) +void bn_set_static_words(BIGNUM *a, const BN_ULONG *words, int size) { - a->d = words; + /* + * |const| qualifier omission is compensated by BN_FLG_STATIC_DATA + * flag, which effectively means "read-only data". + */ + a->d = (BN_ULONG *)words; a->dmax = a->top = size; a->neg = 0; a->flags |= BN_FLG_STATIC_DATA; bn_correct_top(a); } -int bn_set_words(BIGNUM *a, BN_ULONG *words, int num_words) +int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words) { if (bn_wexpand(a, num_words) == NULL) { BNerr(BN_F_BN_SET_WORDS, ERR_R_MALLOC_FAILURE); diff --git a/deps/openssl/openssl/crypto/bn/bn_lcl.h b/deps/openssl/openssl/crypto/bn/bn_lcl.h index 5fb3814554..4d9808f5b8 100644 --- a/deps/openssl/openssl/crypto/bn/bn_lcl.h +++ b/deps/openssl/openssl/crypto/bn/bn_lcl.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -145,7 +145,16 @@ extern "C" { */ # ifdef BN_DEBUG - +/* + * The new BN_FLG_FIXED_TOP flag marks vectors that were not treated with + * bn_correct_top, in other words such vectors are permitted to have zeros + * in most significant limbs. Such vectors are used internally to achieve + * execution time invariance for critical operations with private keys. + * It's BN_DEBUG-only flag, because user application is not supposed to + * observe it anyway. Moreover, optimizing compiler would actually remove + * all operations manipulating the bit in question in non-BN_DEBUG build. + */ +# define BN_FLG_FIXED_TOP 0x10000 # ifdef BN_DEBUG_RAND /* To avoid "make update" cvs wars due to BN_DEBUG, use some tricks */ # ifndef RAND_bytes @@ -177,8 +186,10 @@ int RAND_bytes(unsigned char *buf, int num); do { \ const BIGNUM *_bnum2 = (a); \ if (_bnum2 != NULL) { \ - OPENSSL_assert(((_bnum2->top == 0) && !_bnum2->neg) || \ - (_bnum2->top && (_bnum2->d[_bnum2->top - 1] != 0))); \ + int _top = _bnum2->top; \ + OPENSSL_assert((_top == 0 && !_bnum2->neg) || \ + (_top && ((_bnum2->flags & BN_FLG_FIXED_TOP) \ + || _bnum2->d[_top - 1] != 0))); \ bn_pollute(_bnum2); \ } \ } while(0) @@ -197,6 +208,7 @@ int RAND_bytes(unsigned char *buf, int num); # else /* !BN_DEBUG */ +# define BN_FLG_FIXED_TOP 0 # define bn_pollute(a) # define bn_check_top(a) # define bn_fix_top(a) bn_correct_top(a) @@ -228,7 +240,8 @@ struct bignum_st { /* Used for montgomery multiplication */ struct bn_mont_ctx_st { int ri; /* number of bits in R */ - BIGNUM RR; /* used to convert to montgomery form */ + BIGNUM RR; /* used to convert to montgomery form, + possibly zero-padded */ BIGNUM N; /* The modulus */ BIGNUM Ni; /* R*(1/R mod N) - N*Ni = 1 (Ni is only * stored for bignum algorithm) */ diff --git a/deps/openssl/openssl/crypto/bn/bn_lib.c b/deps/openssl/openssl/crypto/bn/bn_lib.c index 7058494092..25eac396e0 100644 --- a/deps/openssl/openssl/crypto/bn/bn_lib.c +++ b/deps/openssl/openssl/crypto/bn/bn_lib.c @@ -12,6 +12,7 @@ #include "internal/cryptlib.h" #include "bn_lcl.h" #include <openssl/opensslconf.h> +#include "internal/constant_time_locl.h" /* This stuff appears to be completely unused, so is deprecated */ #if OPENSSL_API_COMPAT < 0x00908000L @@ -222,8 +223,6 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words) const BN_ULONG *B; int i; - bn_check_top(b); - if (words > (INT_MAX / (4 * BN_BITS2))) { BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_BIGNUM_TOO_LONG); return NULL; @@ -298,8 +297,6 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words) BIGNUM *bn_expand2(BIGNUM *b, int words) { - bn_check_top(b); - if (words > b->dmax) { BN_ULONG *a = bn_expand_internal(b, words); if (!a) @@ -312,7 +309,6 @@ BIGNUM *bn_expand2(BIGNUM *b, int words) b->dmax = words; } - bn_check_top(b); return b; } @@ -379,12 +375,19 @@ BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b) memcpy(a->d, b->d, sizeof(b->d[0]) * b->top); #endif - a->top = b->top; a->neg = b->neg; + a->top = b->top; + a->flags |= b->flags & BN_FLG_FIXED_TOP; bn_check_top(a); return (a); } +#define FLAGS_DATA(flags) ((flags) & (BN_FLG_STATIC_DATA \ + | BN_FLG_CONSTTIME \ + | BN_FLG_SECURE \ + | BN_FLG_FIXED_TOP)) +#define FLAGS_STRUCT(flags) ((flags) & (BN_FLG_MALLOCED)) + void BN_swap(BIGNUM *a, BIGNUM *b) { int flags_old_a, flags_old_b; @@ -412,10 +415,8 @@ void BN_swap(BIGNUM *a, BIGNUM *b) b->dmax = tmp_dmax; b->neg = tmp_neg; - a->flags = - (flags_old_a & BN_FLG_MALLOCED) | (flags_old_b & BN_FLG_STATIC_DATA); - b->flags = - (flags_old_b & BN_FLG_MALLOCED) | (flags_old_a & BN_FLG_STATIC_DATA); + a->flags = FLAGS_STRUCT(flags_old_a) | FLAGS_DATA(flags_old_b); + b->flags = FLAGS_STRUCT(flags_old_b) | FLAGS_DATA(flags_old_a); bn_check_top(a); bn_check_top(b); } @@ -425,8 +426,9 @@ void BN_clear(BIGNUM *a) bn_check_top(a); if (a->d != NULL) OPENSSL_cleanse(a->d, sizeof(*a->d) * a->dmax); - a->top = 0; a->neg = 0; + a->top = 0; + a->flags &= ~BN_FLG_FIXED_TOP; } BN_ULONG BN_get_word(const BIGNUM *a) @@ -447,6 +449,7 @@ int BN_set_word(BIGNUM *a, BN_ULONG w) a->neg = 0; a->d[0] = w; a->top = (w ? 1 : 0); + a->flags &= ~BN_FLG_FIXED_TOP; bn_check_top(a); return (1); } @@ -499,24 +502,29 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret) /* ignore negative */ static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) { - int i; + int n; + size_t i, inc, lasti, j; BN_ULONG l; - bn_check_top(a); - i = BN_num_bytes(a); + n = BN_num_bytes(a); if (tolen == -1) - tolen = i; - else if (tolen < i) + tolen = n; + else if (tolen < n) return -1; - /* Add leading zeroes if necessary */ - if (tolen > i) { - memset(to, 0, tolen - i); - to += tolen - i; + + if (n == 0) { + OPENSSL_cleanse(to, tolen); + return tolen; } - while (i--) { + + lasti = n - 1; + for (i = 0, inc = 1, j = tolen; j > 0;) { l = a->d[i / BN_BYTES]; - *(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff; + to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & (0 - inc)); + inc = (i - lasti) >> (8 * sizeof(i) - 1); + i += inc; /* stay on top limb */ } + return tolen; } @@ -683,6 +691,7 @@ int BN_set_bit(BIGNUM *a, int n) for (k = a->top; k < i + 1; k++) a->d[k] = 0; a->top = i + 1; + a->flags &= ~BN_FLG_FIXED_TOP; } a->d[i] |= (((BN_ULONG)1) << j); @@ -824,6 +833,34 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords) a->top ^= t; b->top ^= t; + t = (a->neg ^ b->neg) & condition; + a->neg ^= t; + b->neg ^= t; + + /*- + * Idea behind BN_FLG_STATIC_DATA is actually to + * indicate that data may not be written to. + * Intention is actually to treat it as it's + * read-only data, and some (if not most) of it does + * reside in read-only segment. In other words + * observation of BN_FLG_STATIC_DATA in + * BN_consttime_swap should be treated as fatal + * condition. It would either cause SEGV or + * effectively cause data corruption. + * BN_FLG_MALLOCED refers to BN structure itself, + * and hence must be preserved. Remaining flags are + * BN_FLG_CONSTIME and BN_FLG_SECURE. Latter must be + * preserved, because it determines how x->d was + * allocated and hence how to free it. This leaves + * BN_FLG_CONSTTIME that one can do something about. + * To summarize it's sufficient to mask and swap + * BN_FLG_CONSTTIME alone. BN_FLG_STATIC_DATA should + * be treated as fatal. + */ + t = ((a->flags ^ b->flags) & BN_FLG_CONSTTIME) & condition; + a->flags ^= t; + b->flags ^= t; + #define BN_CONSTTIME_SWAP(ind) \ do { \ t = (a->d[ind] ^ b->d[ind]) & condition; \ @@ -887,8 +924,9 @@ int BN_security_bits(int L, int N) void BN_zero_ex(BIGNUM *a) { - a->top = 0; a->neg = 0; + a->top = 0; + a->flags &= ~BN_FLG_FIXED_TOP; } int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w) @@ -1012,5 +1050,6 @@ void bn_correct_top(BIGNUM *a) } if (a->top == 0) a->neg = 0; + a->flags &= ~BN_FLG_FIXED_TOP; bn_pollute(a); } diff --git a/deps/openssl/openssl/crypto/bn/bn_mod.c b/deps/openssl/openssl/crypto/bn/bn_mod.c index 13b583f76c..2361094ee4 100644 --- a/deps/openssl/openssl/crypto/bn/bn_mod.c +++ b/deps/openssl/openssl/crypto/bn/bn_mod.c @@ -1,5 +1,5 @@ /* - * Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -35,18 +35,73 @@ int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, /* * BN_mod_add variant that may be used if both a and b are non-negative and - * less than m + * less than m. The original algorithm was + * + * if (!BN_uadd(r, a, b)) + * return 0; + * if (BN_ucmp(r, m) >= 0) + * return BN_usub(r, r, m); + * + * which is replaced with addition, subtracting modulus, and conditional + * move depending on whether or not subtraction borrowed. */ -int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, - const BIGNUM *m) +int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + const BIGNUM *m) { - if (!BN_uadd(r, a, b)) + size_t i, ai, bi, mtop = m->top; + BN_ULONG storage[1024 / BN_BITS2]; + BN_ULONG carry, temp, mask, *rp, *tp = storage; + const BN_ULONG *ap, *bp; + + if (bn_wexpand(r, mtop) == NULL) return 0; - if (BN_ucmp(r, m) >= 0) - return BN_usub(r, r, m); + + if (mtop > sizeof(storage) / sizeof(storage[0]) + && (tp = OPENSSL_malloc(mtop * sizeof(BN_ULONG))) == NULL) + return 0; + + ap = a->d != NULL ? a->d : tp; + bp = b->d != NULL ? b->d : tp; + + for (i = 0, ai = 0, bi = 0, carry = 0; i < mtop;) { + mask = (BN_ULONG)0 - ((i - a->top) >> (8 * sizeof(i) - 1)); + temp = ((ap[ai] & mask) + carry) & BN_MASK2; + carry = (temp < carry); + + mask = (BN_ULONG)0 - ((i - b->top) >> (8 * sizeof(i) - 1)); + tp[i] = ((bp[bi] & mask) + temp) & BN_MASK2; + carry += (tp[i] < temp); + + i++; + ai += (i - a->dmax) >> (8 * sizeof(i) - 1); + bi += (i - b->dmax) >> (8 * sizeof(i) - 1); + } + rp = r->d; + carry -= bn_sub_words(rp, tp, m->d, mtop); + for (i = 0; i < mtop; i++) { + rp[i] = (carry & tp[i]) | (~carry & rp[i]); + ((volatile BN_ULONG *)tp)[i] = 0; + } + r->top = mtop; + r->neg = 0; + + if (tp != storage) + OPENSSL_free(tp); + return 1; } +int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + const BIGNUM *m) +{ + int ret = bn_mod_add_fixed_top(r, a, b, m); + + if (ret) + bn_correct_top(r); + + return ret; +} + int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx) { diff --git a/deps/openssl/openssl/crypto/bn/bn_mont.c b/deps/openssl/openssl/crypto/bn/bn_mont.c index faef581571..3ccf8eaf37 100644 --- a/deps/openssl/openssl/crypto/bn/bn_mont.c +++ b/deps/openssl/openssl/crypto/bn/bn_mont.c @@ -20,29 +20,43 @@ #define MONT_WORD /* use the faster word-based algorithm */ #ifdef MONT_WORD -static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont); +static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont); #endif int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_MONT_CTX *mont, BN_CTX *ctx) { + int ret = bn_mul_mont_fixed_top(r, a, b, mont, ctx); + + bn_correct_top(r); + bn_check_top(r); + + return ret; +} + +int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + BN_MONT_CTX *mont, BN_CTX *ctx) +{ BIGNUM *tmp; int ret = 0; -#if defined(OPENSSL_BN_ASM_MONT) && defined(MONT_WORD) int num = mont->N.top; +#if defined(OPENSSL_BN_ASM_MONT) && defined(MONT_WORD) if (num > 1 && a->top == num && b->top == num) { if (bn_wexpand(r, num) == NULL) return (0); if (bn_mul_mont(r->d, a->d, b->d, mont->N.d, mont->n0, num)) { r->neg = a->neg ^ b->neg; r->top = num; - bn_correct_top(r); + r->flags |= BN_FLG_FIXED_TOP; return (1); } } #endif + if ((a->top + b->top) > 2 * num) + return 0; + BN_CTX_start(ctx); tmp = BN_CTX_get(ctx); if (tmp == NULL) @@ -58,13 +72,12 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, } /* reduce from aRR to aR */ #ifdef MONT_WORD - if (!BN_from_montgomery_word(r, tmp, mont)) + if (!bn_from_montgomery_word(r, tmp, mont)) goto err; #else if (!BN_from_montgomery(r, tmp, mont, ctx)) goto err; #endif - bn_check_top(r); ret = 1; err: BN_CTX_end(ctx); @@ -72,7 +85,7 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, } #ifdef MONT_WORD -static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont) +static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont) { BIGNUM *n; BN_ULONG *ap, *np, *rp, n0, v, carry; @@ -99,6 +112,7 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont) memset(&rp[r->top], 0, sizeof(*rp) * i); r->top = max; + r->flags |= BN_FLG_FIXED_TOP; n0 = mont->n0[0]; /* @@ -117,6 +131,7 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont) if (bn_wexpand(ret, nl) == NULL) return (0); ret->top = nl; + ret->flags |= BN_FLG_FIXED_TOP; ret->neg = r->neg; rp = ret->d; @@ -127,20 +142,16 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont) */ ap = &(r->d[nl]); + carry -= bn_sub_words(rp, ap, np, nl); /* - * |v| is one if |ap| - |np| underflowed or zero if it did not. Note |v| - * cannot be -1. That would imply the subtraction did not fit in |nl| words, - * and we know at most one subtraction is needed. + * |carry| is -1 if |ap| - |np| underflowed or zero if it did not. Note + * |carry| cannot be 1. That would imply the subtraction did not fit in + * |nl| words, and we know at most one subtraction is needed. */ - v = bn_sub_words(rp, ap, np, nl) - carry; - v = 0 - v; for (i = 0; i < nl; i++) { - rp[i] = (v & ap[i]) | (~v & rp[i]); + rp[i] = (carry & ap[i]) | (~carry & rp[i]); ap[i] = 0; } - bn_correct_top(r); - bn_correct_top(ret); - bn_check_top(ret); return (1); } @@ -154,8 +165,11 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont, BIGNUM *t; BN_CTX_start(ctx); - if ((t = BN_CTX_get(ctx)) && BN_copy(t, a)) - retn = BN_from_montgomery_word(ret, t, mont); + if ((t = BN_CTX_get(ctx)) && BN_copy(t, a)) { + retn = bn_from_montgomery_word(ret, t, mont); + bn_correct_top(ret); + bn_check_top(ret); + } BN_CTX_end(ctx); #else /* !MONT_WORD */ BIGNUM *t1, *t2; @@ -193,6 +207,12 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont, return (retn); } +int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, + BN_CTX *ctx) +{ + return bn_mul_mont_fixed_top(r, a, &(mont->RR), mont, ctx); +} + BN_MONT_CTX *BN_MONT_CTX_new(void) { BN_MONT_CTX *ret; @@ -229,7 +249,7 @@ void BN_MONT_CTX_free(BN_MONT_CTX *mont) int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) { - int ret = 0; + int i, ret = 0; BIGNUM *Ri, *R; if (BN_is_zero(mod)) @@ -278,7 +298,9 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) if ((buf[1] = mod->top > 1 ? mod->d[1] : 0)) tmod.top = 2; - if ((BN_mod_inverse(Ri, R, &tmod, ctx)) == NULL) + if (BN_is_one(&tmod)) + BN_zero(Ri); + else if ((BN_mod_inverse(Ri, R, &tmod, ctx)) == NULL) goto err; if (!BN_lshift(Ri, Ri, 2 * BN_BITS2)) goto err; /* R*Ri */ @@ -311,7 +333,9 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) buf[1] = 0; tmod.top = buf[0] != 0 ? 1 : 0; /* Ri = R^-1 mod N */ - if ((BN_mod_inverse(Ri, R, &tmod, ctx)) == NULL) + if (BN_is_one(&tmod)) + BN_zero(Ri); + else if ((BN_mod_inverse(Ri, R, &tmod, ctx)) == NULL) goto err; if (!BN_lshift(Ri, Ri, BN_BITS2)) goto err; /* R*Ri */ @@ -360,6 +384,11 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) if (!BN_mod(&(mont->RR), &(mont->RR), &(mont->N), ctx)) goto err; + for (i = mont->RR.top, ret = mont->N.top; i < ret; i++) + mont->RR.d[i] = 0; + mont->RR.top = ret; + mont->RR.flags |= BN_FLG_FIXED_TOP; + ret = 1; err: BN_CTX_end(ctx); diff --git a/deps/openssl/openssl/crypto/bn/bn_prime.h b/deps/openssl/openssl/crypto/bn/bn_prime.h index 5f5cc4f580..41440fa4e1 100644 --- a/deps/openssl/openssl/crypto/bn/bn_prime.h +++ b/deps/openssl/openssl/crypto/bn/bn_prime.h @@ -15,260 +15,260 @@ typedef unsigned short prime_t; static const prime_t primes[2048] = { - 2, 3, 5, 7, 11, 13, 17, 19, - 23, 29, 31, 37, 41, 43, 47, 53, - 59, 61, 67, 71, 73, 79, 83, 89, - 97, 101, 103, 107, 109, 113, 127, 131, - 137, 139, 149, 151, 157, 163, 167, 173, - 179, 181, 191, 193, 197, 199, 211, 223, - 227, 229, 233, 239, 241, 251, 257, 263, - 269, 271, 277, 281, 283, 293, 307, 311, - 313, 317, 331, 337, 347, 349, 353, 359, - 367, 373, 379, 383, 389, 397, 401, 409, - 419, 421, 431, 433, 439, 443, 449, 457, - 461, 463, 467, 479, 487, 491, 499, 503, - 509, 521, 523, 541, 547, 557, 563, 569, - 571, 577, 587, 593, 599, 601, 607, 613, - 617, 619, 631, 641, 643, 647, 653, 659, - 661, 673, 677, 683, 691, 701, 709, 719, - 727, 733, 739, 743, 751, 757, 761, 769, - 773, 787, 797, 809, 811, 821, 823, 827, - 829, 839, 853, 857, 859, 863, 877, 881, - 883, 887, 907, 911, 919, 929, 937, 941, - 947, 953, 967, 971, 977, 983, 991, 997, - 1009, 1013, 1019, 1021, 1031, 1033, 1039, 1049, - 1051, 1061, 1063, 1069, 1087, 1091, 1093, 1097, - 1103, 1109, 1117, 1123, 1129, 1151, 1153, 1163, - 1171, 1181, 1187, 1193, 1201, 1213, 1217, 1223, - 1229, 1231, 1237, 1249, 1259, 1277, 1279, 1283, - 1289, 1291, 1297, 1301, 1303, 1307, 1319, 1321, - 1327, 1361, 1367, 1373, 1381, 1399, 1409, 1423, - 1427, 1429, 1433, 1439, 1447, 1451, 1453, 1459, - 1471, 1481, 1483, 1487, 1489, 1493, 1499, 1511, - 1523, 1531, 1543, 1549, 1553, 1559, 1567, 1571, - 1579, 1583, 1597, 1601, 1607, 1609, 1613, 1619, - 1621, 1627, 1637, 1657, 1663, 1667, 1669, 1693, - 1697, 1699, 1709, 1721, 1723, 1733, 1741, 1747, - 1753, 1759, 1777, 1783, 1787, 1789, 1801, 1811, - 1823, 1831, 1847, 1861, 1867, 1871, 1873, 1877, - 1879, 1889, 1901, 1907, 1913, 1931, 1933, 1949, - 1951, 1973, 1979, 1987, 1993, 1997, 1999, 2003, - 2011, 2017, 2027, 2029, 2039, 2053, 2063, 2069, - 2081, 2083, 2087, 2089, 2099, 2111, 2113, 2129, - 2131, 2137, 2141, 2143, 2153, 2161, 2179, 2203, - 2207, 2213, 2221, 2237, 2239, 2243, 2251, 2267, - 2269, 2273, 2281, 2287, 2293, 2297, 2309, 2311, - 2333, 2339, 2341, 2347, 2351, 2357, 2371, 2377, - 2381, 2383, 2389, 2393, 2399, 2411, 2417, 2423, - 2437, 2441, 2447, 2459, 2467, 2473, 2477, 2503, - 2521, 2531, 2539, 2543, 2549, 2551, 2557, 2579, - 2591, 2593, 2609, 2617, 2621, 2633, 2647, 2657, - 2659, 2663, 2671, 2677, 2683, 2687, 2689, 2693, - 2699, 2707, 2711, 2713, 2719, 2729, 2731, 2741, - 2749, 2753, 2767, 2777, 2789, 2791, 2797, 2801, - 2803, 2819, 2833, 2837, 2843, 2851, 2857, 2861, - 2879, 2887, 2897, 2903, 2909, 2917, 2927, 2939, - 2953, 2957, 2963, 2969, 2971, 2999, 3001, 3011, - 3019, 3023, 3037, 3041, 3049, 3061, 3067, 3079, - 3083, 3089, 3109, 3119, 3121, 3137, 3163, 3167, - 3169, 3181, 3187, 3191, 3203, 3209, 3217, 3221, - 3229, 3251, 3253, 3257, 3259, 3271, 3299, 3301, - 3307, 3313, 3319, 3323, 3329, 3331, 3343, 3347, - 3359, 3361, 3371, 3373, 3389, 3391, 3407, 3413, - 3433, 3449, 3457, 3461, 3463, 3467, 3469, 3491, - 3499, 3511, 3517, 3527, 3529, 3533, 3539, 3541, - 3547, 3557, 3559, 3571, 3581, 3583, 3593, 3607, - 3613, 3617, 3623, 3631, 3637, 3643, 3659, 3671, - 3673, 3677, 3691, 3697, 3701, 3709, 3719, 3727, - 3733, 3739, 3761, 3767, 3769, 3779, 3793, 3797, - 3803, 3821, 3823, 3833, 3847, 3851, 3853, 3863, - 3877, 3881, 3889, 3907, 3911, 3917, 3919, 3923, - 3929, 3931, 3943, 3947, 3967, 3989, 4001, 4003, - 4007, 4013, 4019, 4021, 4027, 4049, 4051, 4057, - 4073, 4079, 4091, 4093, 4099, 4111, 4127, 4129, - 4133, 4139, 4153, 4157, 4159, 4177, 4201, 4211, - 4217, 4219, 4229, 4231, 4241, 4243, 4253, 4259, - 4261, 4271, 4273, 4283, 4289, 4297, 4327, 4337, - 4339, 4349, 4357, 4363, 4373, 4391, 4397, 4409, - 4421, 4423, 4441, 4447, 4451, 4457, 4463, 4481, - 4483, 4493, 4507, 4513, 4517, 4519, 4523, 4547, - 4549, 4561, 4567, 4583, 4591, 4597, 4603, 4621, - 4637, 4639, 4643, 4649, 4651, 4657, 4663, 4673, - 4679, 4691, 4703, 4721, 4723, 4729, 4733, 4751, - 4759, 4783, 4787, 4789, 4793, 4799, 4801, 4813, - 4817, 4831, 4861, 4871, 4877, 4889, 4903, 4909, - 4919, 4931, 4933, 4937, 4943, 4951, 4957, 4967, - 4969, 4973, 4987, 4993, 4999, 5003, 5009, 5011, - 5021, 5023, 5039, 5051, 5059, 5077, 5081, 5087, - 5099, 5101, 5107, 5113, 5119, 5147, 5153, 5167, - 5171, 5179, 5189, 5197, 5209, 5227, 5231, 5233, - 5237, 5261, 5273, 5279, 5281, 5297, 5303, 5309, - 5323, 5333, 5347, 5351, 5381, 5387, 5393, 5399, - 5407, 5413, 5417, 5419, 5431, 5437, 5441, 5443, - 5449, 5471, 5477, 5479, 5483, 5501, 5503, 5507, - 5519, 5521, 5527, 5531, 5557, 5563, 5569, 5573, - 5581, 5591, 5623, 5639, 5641, 5647, 5651, 5653, - 5657, 5659, 5669, 5683, 5689, 5693, 5701, 5711, - 5717, 5737, 5741, 5743, 5749, 5779, 5783, 5791, - 5801, 5807, 5813, 5821, 5827, 5839, 5843, 5849, - 5851, 5857, 5861, 5867, 5869, 5879, 5881, 5897, - 5903, 5923, 5927, 5939, 5953, 5981, 5987, 6007, - 6011, 6029, 6037, 6043, 6047, 6053, 6067, 6073, - 6079, 6089, 6091, 6101, 6113, 6121, 6131, 6133, - 6143, 6151, 6163, 6173, 6197, 6199, 6203, 6211, - 6217, 6221, 6229, 6247, 6257, 6263, 6269, 6271, - 6277, 6287, 6299, 6301, 6311, 6317, 6323, 6329, - 6337, 6343, 6353, 6359, 6361, 6367, 6373, 6379, - 6389, 6397, 6421, 6427, 6449, 6451, 6469, 6473, - 6481, 6491, 6521, 6529, 6547, 6551, 6553, 6563, - 6569, 6571, 6577, 6581, 6599, 6607, 6619, 6637, - 6653, 6659, 6661, 6673, 6679, 6689, 6691, 6701, - 6703, 6709, 6719, 6733, 6737, 6761, 6763, 6779, - 6781, 6791, 6793, 6803, 6823, 6827, 6829, 6833, - 6841, 6857, 6863, 6869, 6871, 6883, 6899, 6907, - 6911, 6917, 6947, 6949, 6959, 6961, 6967, 6971, - 6977, 6983, 6991, 6997, 7001, 7013, 7019, 7027, - 7039, 7043, 7057, 7069, 7079, 7103, 7109, 7121, - 7127, 7129, 7151, 7159, 7177, 7187, 7193, 7207, - 7211, 7213, 7219, 7229, 7237, 7243, 7247, 7253, - 7283, 7297, 7307, 7309, 7321, 7331, 7333, 7349, - 7351, 7369, 7393, 7411, 7417, 7433, 7451, 7457, - 7459, 7477, 7481, 7487, 7489, 7499, 7507, 7517, - 7523, 7529, 7537, 7541, 7547, 7549, 7559, 7561, - 7573, 7577, 7583, 7589, 7591, 7603, 7607, 7621, - 7639, 7643, 7649, 7669, 7673, 7681, 7687, 7691, - 7699, 7703, 7717, 7723, 7727, 7741, 7753, 7757, - 7759, 7789, 7793, 7817, 7823, 7829, 7841, 7853, - 7867, 7873, 7877, 7879, 7883, 7901, 7907, 7919, - 7927, 7933, 7937, 7949, 7951, 7963, 7993, 8009, - 8011, 8017, 8039, 8053, 8059, 8069, 8081, 8087, - 8089, 8093, 8101, 8111, 8117, 8123, 8147, 8161, - 8167, 8171, 8179, 8191, 8209, 8219, 8221, 8231, - 8233, 8237, 8243, 8263, 8269, 8273, 8287, 8291, - 8293, 8297, 8311, 8317, 8329, 8353, 8363, 8369, - 8377, 8387, 8389, 8419, 8423, 8429, 8431, 8443, - 8447, 8461, 8467, 8501, 8513, 8521, 8527, 8537, - 8539, 8543, 8563, 8573, 8581, 8597, 8599, 8609, - 8623, 8627, 8629, 8641, 8647, 8663, 8669, 8677, - 8681, 8689, 8693, 8699, 8707, 8713, 8719, 8731, - 8737, 8741, 8747, 8753, 8761, 8779, 8783, 8803, - 8807, 8819, 8821, 8831, 8837, 8839, 8849, 8861, - 8863, 8867, 8887, 8893, 8923, 8929, 8933, 8941, - 8951, 8963, 8969, 8971, 8999, 9001, 9007, 9011, - 9013, 9029, 9041, 9043, 9049, 9059, 9067, 9091, - 9103, 9109, 9127, 9133, 9137, 9151, 9157, 9161, - 9173, 9181, 9187, 9199, 9203, 9209, 9221, 9227, - 9239, 9241, 9257, 9277, 9281, 9283, 9293, 9311, - 9319, 9323, 9337, 9341, 9343, 9349, 9371, 9377, - 9391, 9397, 9403, 9413, 9419, 9421, 9431, 9433, - 9437, 9439, 9461, 9463, 9467, 9473, 9479, 9491, - 9497, 9511, 9521, 9533, 9539, 9547, 9551, 9587, - 9601, 9613, 9619, 9623, 9629, 9631, 9643, 9649, - 9661, 9677, 9679, 9689, 9697, 9719, 9721, 9733, - 9739, 9743, 9749, 9767, 9769, 9781, 9787, 9791, - 9803, 9811, 9817, 9829, 9833, 9839, 9851, 9857, - 9859, 9871, 9883, 9887, 9901, 9907, 9923, 9929, - 9931, 9941, 9949, 9967, 9973, 10007, 10009, 10037, - 10039, 10061, 10067, 10069, 10079, 10091, 10093, 10099, - 10103, 10111, 10133, 10139, 10141, 10151, 10159, 10163, - 10169, 10177, 10181, 10193, 10211, 10223, 10243, 10247, - 10253, 10259, 10267, 10271, 10273, 10289, 10301, 10303, - 10313, 10321, 10331, 10333, 10337, 10343, 10357, 10369, - 10391, 10399, 10427, 10429, 10433, 10453, 10457, 10459, - 10463, 10477, 10487, 10499, 10501, 10513, 10529, 10531, - 10559, 10567, 10589, 10597, 10601, 10607, 10613, 10627, - 10631, 10639, 10651, 10657, 10663, 10667, 10687, 10691, - 10709, 10711, 10723, 10729, 10733, 10739, 10753, 10771, - 10781, 10789, 10799, 10831, 10837, 10847, 10853, 10859, - 10861, 10867, 10883, 10889, 10891, 10903, 10909, 10937, - 10939, 10949, 10957, 10973, 10979, 10987, 10993, 11003, - 11027, 11047, 11057, 11059, 11069, 11071, 11083, 11087, - 11093, 11113, 11117, 11119, 11131, 11149, 11159, 11161, - 11171, 11173, 11177, 11197, 11213, 11239, 11243, 11251, - 11257, 11261, 11273, 11279, 11287, 11299, 11311, 11317, - 11321, 11329, 11351, 11353, 11369, 11383, 11393, 11399, - 11411, 11423, 11437, 11443, 11447, 11467, 11471, 11483, - 11489, 11491, 11497, 11503, 11519, 11527, 11549, 11551, - 11579, 11587, 11593, 11597, 11617, 11621, 11633, 11657, - 11677, 11681, 11689, 11699, 11701, 11717, 11719, 11731, - 11743, 11777, 11779, 11783, 11789, 11801, 11807, 11813, - 11821, 11827, 11831, 11833, 11839, 11863, 11867, 11887, - 11897, 11903, 11909, 11923, 11927, 11933, 11939, 11941, - 11953, 11959, 11969, 11971, 11981, 11987, 12007, 12011, - 12037, 12041, 12043, 12049, 12071, 12073, 12097, 12101, - 12107, 12109, 12113, 12119, 12143, 12149, 12157, 12161, - 12163, 12197, 12203, 12211, 12227, 12239, 12241, 12251, - 12253, 12263, 12269, 12277, 12281, 12289, 12301, 12323, - 12329, 12343, 12347, 12373, 12377, 12379, 12391, 12401, - 12409, 12413, 12421, 12433, 12437, 12451, 12457, 12473, - 12479, 12487, 12491, 12497, 12503, 12511, 12517, 12527, - 12539, 12541, 12547, 12553, 12569, 12577, 12583, 12589, - 12601, 12611, 12613, 12619, 12637, 12641, 12647, 12653, - 12659, 12671, 12689, 12697, 12703, 12713, 12721, 12739, - 12743, 12757, 12763, 12781, 12791, 12799, 12809, 12821, - 12823, 12829, 12841, 12853, 12889, 12893, 12899, 12907, - 12911, 12917, 12919, 12923, 12941, 12953, 12959, 12967, - 12973, 12979, 12983, 13001, 13003, 13007, 13009, 13033, - 13037, 13043, 13049, 13063, 13093, 13099, 13103, 13109, - 13121, 13127, 13147, 13151, 13159, 13163, 13171, 13177, - 13183, 13187, 13217, 13219, 13229, 13241, 13249, 13259, - 13267, 13291, 13297, 13309, 13313, 13327, 13331, 13337, - 13339, 13367, 13381, 13397, 13399, 13411, 13417, 13421, - 13441, 13451, 13457, 13463, 13469, 13477, 13487, 13499, - 13513, 13523, 13537, 13553, 13567, 13577, 13591, 13597, - 13613, 13619, 13627, 13633, 13649, 13669, 13679, 13681, - 13687, 13691, 13693, 13697, 13709, 13711, 13721, 13723, - 13729, 13751, 13757, 13759, 13763, 13781, 13789, 13799, - 13807, 13829, 13831, 13841, 13859, 13873, 13877, 13879, - 13883, 13901, 13903, 13907, 13913, 13921, 13931, 13933, - 13963, 13967, 13997, 13999, 14009, 14011, 14029, 14033, - 14051, 14057, 14071, 14081, 14083, 14087, 14107, 14143, - 14149, 14153, 14159, 14173, 14177, 14197, 14207, 14221, - 14243, 14249, 14251, 14281, 14293, 14303, 14321, 14323, - 14327, 14341, 14347, 14369, 14387, 14389, 14401, 14407, - 14411, 14419, 14423, 14431, 14437, 14447, 14449, 14461, - 14479, 14489, 14503, 14519, 14533, 14537, 14543, 14549, - 14551, 14557, 14561, 14563, 14591, 14593, 14621, 14627, - 14629, 14633, 14639, 14653, 14657, 14669, 14683, 14699, - 14713, 14717, 14723, 14731, 14737, 14741, 14747, 14753, - 14759, 14767, 14771, 14779, 14783, 14797, 14813, 14821, - 14827, 14831, 14843, 14851, 14867, 14869, 14879, 14887, - 14891, 14897, 14923, 14929, 14939, 14947, 14951, 14957, - 14969, 14983, 15013, 15017, 15031, 15053, 15061, 15073, - 15077, 15083, 15091, 15101, 15107, 15121, 15131, 15137, - 15139, 15149, 15161, 15173, 15187, 15193, 15199, 15217, - 15227, 15233, 15241, 15259, 15263, 15269, 15271, 15277, - 15287, 15289, 15299, 15307, 15313, 15319, 15329, 15331, - 15349, 15359, 15361, 15373, 15377, 15383, 15391, 15401, - 15413, 15427, 15439, 15443, 15451, 15461, 15467, 15473, - 15493, 15497, 15511, 15527, 15541, 15551, 15559, 15569, - 15581, 15583, 15601, 15607, 15619, 15629, 15641, 15643, - 15647, 15649, 15661, 15667, 15671, 15679, 15683, 15727, - 15731, 15733, 15737, 15739, 15749, 15761, 15767, 15773, - 15787, 15791, 15797, 15803, 15809, 15817, 15823, 15859, - 15877, 15881, 15887, 15889, 15901, 15907, 15913, 15919, - 15923, 15937, 15959, 15971, 15973, 15991, 16001, 16007, - 16033, 16057, 16061, 16063, 16067, 16069, 16073, 16087, - 16091, 16097, 16103, 16111, 16127, 16139, 16141, 16183, - 16187, 16189, 16193, 16217, 16223, 16229, 16231, 16249, - 16253, 16267, 16273, 16301, 16319, 16333, 16339, 16349, - 16361, 16363, 16369, 16381, 16411, 16417, 16421, 16427, - 16433, 16447, 16451, 16453, 16477, 16481, 16487, 16493, - 16519, 16529, 16547, 16553, 16561, 16567, 16573, 16603, - 16607, 16619, 16631, 16633, 16649, 16651, 16657, 16661, - 16673, 16691, 16693, 16699, 16703, 16729, 16741, 16747, - 16759, 16763, 16787, 16811, 16823, 16829, 16831, 16843, - 16871, 16879, 16883, 16889, 16901, 16903, 16921, 16927, - 16931, 16937, 16943, 16963, 16979, 16981, 16987, 16993, - 17011, 17021, 17027, 17029, 17033, 17041, 17047, 17053, - 17077, 17093, 17099, 17107, 17117, 17123, 17137, 17159, - 17167, 17183, 17189, 17191, 17203, 17207, 17209, 17231, - 17239, 17257, 17291, 17293, 17299, 17317, 17321, 17327, - 17333, 17341, 17351, 17359, 17377, 17383, 17387, 17389, - 17393, 17401, 17417, 17419, 17431, 17443, 17449, 17467, - 17471, 17477, 17483, 17489, 17491, 17497, 17509, 17519, - 17539, 17551, 17569, 17573, 17579, 17581, 17597, 17599, - 17609, 17623, 17627, 17657, 17659, 17669, 17681, 17683, - 17707, 17713, 17729, 17737, 17747, 17749, 17761, 17783, - 17789, 17791, 17807, 17827, 17837, 17839, 17851, 17863, + 2, 3, 5, 7, 11, 13, 17, 19, + 23, 29, 31, 37, 41, 43, 47, 53, + 59, 61, 67, 71, 73, 79, 83, 89, + 97, 101, 103, 107, 109, 113, 127, 131, + 137, 139, 149, 151, 157, 163, 167, 173, + 179, 181, 191, 193, 197, 199, 211, 223, + 227, 229, 233, 239, 241, 251, 257, 263, + 269, 271, 277, 281, 283, 293, 307, 311, + 313, 317, 331, 337, 347, 349, 353, 359, + 367, 373, 379, 383, 389, 397, 401, 409, + 419, 421, 431, 433, 439, 443, 449, 457, + 461, 463, 467, 479, 487, 491, 499, 503, + 509, 521, 523, 541, 547, 557, 563, 569, + 571, 577, 587, 593, 599, 601, 607, 613, + 617, 619, 631, 641, 643, 647, 653, 659, + 661, 673, 677, 683, 691, 701, 709, 719, + 727, 733, 739, 743, 751, 757, 761, 769, + 773, 787, 797, 809, 811, 821, 823, 827, + 829, 839, 853, 857, 859, 863, 877, 881, + 883, 887, 907, 911, 919, 929, 937, 941, + 947, 953, 967, 971, 977, 983, 991, 997, + 1009, 1013, 1019, 1021, 1031, 1033, 1039, 1049, + 1051, 1061, 1063, 1069, 1087, 1091, 1093, 1097, + 1103, 1109, 1117, 1123, 1129, 1151, 1153, 1163, + 1171, 1181, 1187, 1193, 1201, 1213, 1217, 1223, + 1229, 1231, 1237, 1249, 1259, 1277, 1279, 1283, + 1289, 1291, 1297, 1301, 1303, 1307, 1319, 1321, + 1327, 1361, 1367, 1373, 1381, 1399, 1409, 1423, + 1427, 1429, 1433, 1439, 1447, 1451, 1453, 1459, + 1471, 1481, 1483, 1487, 1489, 1493, 1499, 1511, + 1523, 1531, 1543, 1549, 1553, 1559, 1567, 1571, + 1579, 1583, 1597, 1601, 1607, 1609, 1613, 1619, + 1621, 1627, 1637, 1657, 1663, 1667, 1669, 1693, + 1697, 1699, 1709, 1721, 1723, 1733, 1741, 1747, + 1753, 1759, 1777, 1783, 1787, 1789, 1801, 1811, + 1823, 1831, 1847, 1861, 1867, 1871, 1873, 1877, + 1879, 1889, 1901, 1907, 1913, 1931, 1933, 1949, + 1951, 1973, 1979, 1987, 1993, 1997, 1999, 2003, + 2011, 2017, 2027, 2029, 2039, 2053, 2063, 2069, + 2081, 2083, 2087, 2089, 2099, 2111, 2113, 2129, + 2131, 2137, 2141, 2143, 2153, 2161, 2179, 2203, + 2207, 2213, 2221, 2237, 2239, 2243, 2251, 2267, + 2269, 2273, 2281, 2287, 2293, 2297, 2309, 2311, + 2333, 2339, 2341, 2347, 2351, 2357, 2371, 2377, + 2381, 2383, 2389, 2393, 2399, 2411, 2417, 2423, + 2437, 2441, 2447, 2459, 2467, 2473, 2477, 2503, + 2521, 2531, 2539, 2543, 2549, 2551, 2557, 2579, + 2591, 2593, 2609, 2617, 2621, 2633, 2647, 2657, + 2659, 2663, 2671, 2677, 2683, 2687, 2689, 2693, + 2699, 2707, 2711, 2713, 2719, 2729, 2731, 2741, + 2749, 2753, 2767, 2777, 2789, 2791, 2797, 2801, + 2803, 2819, 2833, 2837, 2843, 2851, 2857, 2861, + 2879, 2887, 2897, 2903, 2909, 2917, 2927, 2939, + 2953, 2957, 2963, 2969, 2971, 2999, 3001, 3011, + 3019, 3023, 3037, 3041, 3049, 3061, 3067, 3079, + 3083, 3089, 3109, 3119, 3121, 3137, 3163, 3167, + 3169, 3181, 3187, 3191, 3203, 3209, 3217, 3221, + 3229, 3251, 3253, 3257, 3259, 3271, 3299, 3301, + 3307, 3313, 3319, 3323, 3329, 3331, 3343, 3347, + 3359, 3361, 3371, 3373, 3389, 3391, 3407, 3413, + 3433, 3449, 3457, 3461, 3463, 3467, 3469, 3491, + 3499, 3511, 3517, 3527, 3529, 3533, 3539, 3541, + 3547, 3557, 3559, 3571, 3581, 3583, 3593, 3607, + 3613, 3617, 3623, 3631, 3637, 3643, 3659, 3671, + 3673, 3677, 3691, 3697, 3701, 3709, 3719, 3727, + 3733, 3739, 3761, 3767, 3769, 3779, 3793, 3797, + 3803, 3821, 3823, 3833, 3847, 3851, 3853, 3863, + 3877, 3881, 3889, 3907, 3911, 3917, 3919, 3923, + 3929, 3931, 3943, 3947, 3967, 3989, 4001, 4003, + 4007, 4013, 4019, 4021, 4027, 4049, 4051, 4057, + 4073, 4079, 4091, 4093, 4099, 4111, 4127, 4129, + 4133, 4139, 4153, 4157, 4159, 4177, 4201, 4211, + 4217, 4219, 4229, 4231, 4241, 4243, 4253, 4259, + 4261, 4271, 4273, 4283, 4289, 4297, 4327, 4337, + 4339, 4349, 4357, 4363, 4373, 4391, 4397, 4409, + 4421, 4423, 4441, 4447, 4451, 4457, 4463, 4481, + 4483, 4493, 4507, 4513, 4517, 4519, 4523, 4547, + 4549, 4561, 4567, 4583, 4591, 4597, 4603, 4621, + 4637, 4639, 4643, 4649, 4651, 4657, 4663, 4673, + 4679, 4691, 4703, 4721, 4723, 4729, 4733, 4751, + 4759, 4783, 4787, 4789, 4793, 4799, 4801, 4813, + 4817, 4831, 4861, 4871, 4877, 4889, 4903, 4909, + 4919, 4931, 4933, 4937, 4943, 4951, 4957, 4967, + 4969, 4973, 4987, 4993, 4999, 5003, 5009, 5011, + 5021, 5023, 5039, 5051, 5059, 5077, 5081, 5087, + 5099, 5101, 5107, 5113, 5119, 5147, 5153, 5167, + 5171, 5179, 5189, 5197, 5209, 5227, 5231, 5233, + 5237, 5261, 5273, 5279, 5281, 5297, 5303, 5309, + 5323, 5333, 5347, 5351, 5381, 5387, 5393, 5399, + 5407, 5413, 5417, 5419, 5431, 5437, 5441, 5443, + 5449, 5471, 5477, 5479, 5483, 5501, 5503, 5507, + 5519, 5521, 5527, 5531, 5557, 5563, 5569, 5573, + 5581, 5591, 5623, 5639, 5641, 5647, 5651, 5653, + 5657, 5659, 5669, 5683, 5689, 5693, 5701, 5711, + 5717, 5737, 5741, 5743, 5749, 5779, 5783, 5791, + 5801, 5807, 5813, 5821, 5827, 5839, 5843, 5849, + 5851, 5857, 5861, 5867, 5869, 5879, 5881, 5897, + 5903, 5923, 5927, 5939, 5953, 5981, 5987, 6007, + 6011, 6029, 6037, 6043, 6047, 6053, 6067, 6073, + 6079, 6089, 6091, 6101, 6113, 6121, 6131, 6133, + 6143, 6151, 6163, 6173, 6197, 6199, 6203, 6211, + 6217, 6221, 6229, 6247, 6257, 6263, 6269, 6271, + 6277, 6287, 6299, 6301, 6311, 6317, 6323, 6329, + 6337, 6343, 6353, 6359, 6361, 6367, 6373, 6379, + 6389, 6397, 6421, 6427, 6449, 6451, 6469, 6473, + 6481, 6491, 6521, 6529, 6547, 6551, 6553, 6563, + 6569, 6571, 6577, 6581, 6599, 6607, 6619, 6637, + 6653, 6659, 6661, 6673, 6679, 6689, 6691, 6701, + 6703, 6709, 6719, 6733, 6737, 6761, 6763, 6779, + 6781, 6791, 6793, 6803, 6823, 6827, 6829, 6833, + 6841, 6857, 6863, 6869, 6871, 6883, 6899, 6907, + 6911, 6917, 6947, 6949, 6959, 6961, 6967, 6971, + 6977, 6983, 6991, 6997, 7001, 7013, 7019, 7027, + 7039, 7043, 7057, 7069, 7079, 7103, 7109, 7121, + 7127, 7129, 7151, 7159, 7177, 7187, 7193, 7207, + 7211, 7213, 7219, 7229, 7237, 7243, 7247, 7253, + 7283, 7297, 7307, 7309, 7321, 7331, 7333, 7349, + 7351, 7369, 7393, 7411, 7417, 7433, 7451, 7457, + 7459, 7477, 7481, 7487, 7489, 7499, 7507, 7517, + 7523, 7529, 7537, 7541, 7547, 7549, 7559, 7561, + 7573, 7577, 7583, 7589, 7591, 7603, 7607, 7621, + 7639, 7643, 7649, 7669, 7673, 7681, 7687, 7691, + 7699, 7703, 7717, 7723, 7727, 7741, 7753, 7757, + 7759, 7789, 7793, 7817, 7823, 7829, 7841, 7853, + 7867, 7873, 7877, 7879, 7883, 7901, 7907, 7919, + 7927, 7933, 7937, 7949, 7951, 7963, 7993, 8009, + 8011, 8017, 8039, 8053, 8059, 8069, 8081, 8087, + 8089, 8093, 8101, 8111, 8117, 8123, 8147, 8161, + 8167, 8171, 8179, 8191, 8209, 8219, 8221, 8231, + 8233, 8237, 8243, 8263, 8269, 8273, 8287, 8291, + 8293, 8297, 8311, 8317, 8329, 8353, 8363, 8369, + 8377, 8387, 8389, 8419, 8423, 8429, 8431, 8443, + 8447, 8461, 8467, 8501, 8513, 8521, 8527, 8537, + 8539, 8543, 8563, 8573, 8581, 8597, 8599, 8609, + 8623, 8627, 8629, 8641, 8647, 8663, 8669, 8677, + 8681, 8689, 8693, 8699, 8707, 8713, 8719, 8731, + 8737, 8741, 8747, 8753, 8761, 8779, 8783, 8803, + 8807, 8819, 8821, 8831, 8837, 8839, 8849, 8861, + 8863, 8867, 8887, 8893, 8923, 8929, 8933, 8941, + 8951, 8963, 8969, 8971, 8999, 9001, 9007, 9011, + 9013, 9029, 9041, 9043, 9049, 9059, 9067, 9091, + 9103, 9109, 9127, 9133, 9137, 9151, 9157, 9161, + 9173, 9181, 9187, 9199, 9203, 9209, 9221, 9227, + 9239, 9241, 9257, 9277, 9281, 9283, 9293, 9311, + 9319, 9323, 9337, 9341, 9343, 9349, 9371, 9377, + 9391, 9397, 9403, 9413, 9419, 9421, 9431, 9433, + 9437, 9439, 9461, 9463, 9467, 9473, 9479, 9491, + 9497, 9511, 9521, 9533, 9539, 9547, 9551, 9587, + 9601, 9613, 9619, 9623, 9629, 9631, 9643, 9649, + 9661, 9677, 9679, 9689, 9697, 9719, 9721, 9733, + 9739, 9743, 9749, 9767, 9769, 9781, 9787, 9791, + 9803, 9811, 9817, 9829, 9833, 9839, 9851, 9857, + 9859, 9871, 9883, 9887, 9901, 9907, 9923, 9929, + 9931, 9941, 9949, 9967, 9973, 10007, 10009, 10037, + 10039, 10061, 10067, 10069, 10079, 10091, 10093, 10099, + 10103, 10111, 10133, 10139, 10141, 10151, 10159, 10163, + 10169, 10177, 10181, 10193, 10211, 10223, 10243, 10247, + 10253, 10259, 10267, 10271, 10273, 10289, 10301, 10303, + 10313, 10321, 10331, 10333, 10337, 10343, 10357, 10369, + 10391, 10399, 10427, 10429, 10433, 10453, 10457, 10459, + 10463, 10477, 10487, 10499, 10501, 10513, 10529, 10531, + 10559, 10567, 10589, 10597, 10601, 10607, 10613, 10627, + 10631, 10639, 10651, 10657, 10663, 10667, 10687, 10691, + 10709, 10711, 10723, 10729, 10733, 10739, 10753, 10771, + 10781, 10789, 10799, 10831, 10837, 10847, 10853, 10859, + 10861, 10867, 10883, 10889, 10891, 10903, 10909, 10937, + 10939, 10949, 10957, 10973, 10979, 10987, 10993, 11003, + 11027, 11047, 11057, 11059, 11069, 11071, 11083, 11087, + 11093, 11113, 11117, 11119, 11131, 11149, 11159, 11161, + 11171, 11173, 11177, 11197, 11213, 11239, 11243, 11251, + 11257, 11261, 11273, 11279, 11287, 11299, 11311, 11317, + 11321, 11329, 11351, 11353, 11369, 11383, 11393, 11399, + 11411, 11423, 11437, 11443, 11447, 11467, 11471, 11483, + 11489, 11491, 11497, 11503, 11519, 11527, 11549, 11551, + 11579, 11587, 11593, 11597, 11617, 11621, 11633, 11657, + 11677, 11681, 11689, 11699, 11701, 11717, 11719, 11731, + 11743, 11777, 11779, 11783, 11789, 11801, 11807, 11813, + 11821, 11827, 11831, 11833, 11839, 11863, 11867, 11887, + 11897, 11903, 11909, 11923, 11927, 11933, 11939, 11941, + 11953, 11959, 11969, 11971, 11981, 11987, 12007, 12011, + 12037, 12041, 12043, 12049, 12071, 12073, 12097, 12101, + 12107, 12109, 12113, 12119, 12143, 12149, 12157, 12161, + 12163, 12197, 12203, 12211, 12227, 12239, 12241, 12251, + 12253, 12263, 12269, 12277, 12281, 12289, 12301, 12323, + 12329, 12343, 12347, 12373, 12377, 12379, 12391, 12401, + 12409, 12413, 12421, 12433, 12437, 12451, 12457, 12473, + 12479, 12487, 12491, 12497, 12503, 12511, 12517, 12527, + 12539, 12541, 12547, 12553, 12569, 12577, 12583, 12589, + 12601, 12611, 12613, 12619, 12637, 12641, 12647, 12653, + 12659, 12671, 12689, 12697, 12703, 12713, 12721, 12739, + 12743, 12757, 12763, 12781, 12791, 12799, 12809, 12821, + 12823, 12829, 12841, 12853, 12889, 12893, 12899, 12907, + 12911, 12917, 12919, 12923, 12941, 12953, 12959, 12967, + 12973, 12979, 12983, 13001, 13003, 13007, 13009, 13033, + 13037, 13043, 13049, 13063, 13093, 13099, 13103, 13109, + 13121, 13127, 13147, 13151, 13159, 13163, 13171, 13177, + 13183, 13187, 13217, 13219, 13229, 13241, 13249, 13259, + 13267, 13291, 13297, 13309, 13313, 13327, 13331, 13337, + 13339, 13367, 13381, 13397, 13399, 13411, 13417, 13421, + 13441, 13451, 13457, 13463, 13469, 13477, 13487, 13499, + 13513, 13523, 13537, 13553, 13567, 13577, 13591, 13597, + 13613, 13619, 13627, 13633, 13649, 13669, 13679, 13681, + 13687, 13691, 13693, 13697, 13709, 13711, 13721, 13723, + 13729, 13751, 13757, 13759, 13763, 13781, 13789, 13799, + 13807, 13829, 13831, 13841, 13859, 13873, 13877, 13879, + 13883, 13901, 13903, 13907, 13913, 13921, 13931, 13933, + 13963, 13967, 13997, 13999, 14009, 14011, 14029, 14033, + 14051, 14057, 14071, 14081, 14083, 14087, 14107, 14143, + 14149, 14153, 14159, 14173, 14177, 14197, 14207, 14221, + 14243, 14249, 14251, 14281, 14293, 14303, 14321, 14323, + 14327, 14341, 14347, 14369, 14387, 14389, 14401, 14407, + 14411, 14419, 14423, 14431, 14437, 14447, 14449, 14461, + 14479, 14489, 14503, 14519, 14533, 14537, 14543, 14549, + 14551, 14557, 14561, 14563, 14591, 14593, 14621, 14627, + 14629, 14633, 14639, 14653, 14657, 14669, 14683, 14699, + 14713, 14717, 14723, 14731, 14737, 14741, 14747, 14753, + 14759, 14767, 14771, 14779, 14783, 14797, 14813, 14821, + 14827, 14831, 14843, 14851, 14867, 14869, 14879, 14887, + 14891, 14897, 14923, 14929, 14939, 14947, 14951, 14957, + 14969, 14983, 15013, 15017, 15031, 15053, 15061, 15073, + 15077, 15083, 15091, 15101, 15107, 15121, 15131, 15137, + 15139, 15149, 15161, 15173, 15187, 15193, 15199, 15217, + 15227, 15233, 15241, 15259, 15263, 15269, 15271, 15277, + 15287, 15289, 15299, 15307, 15313, 15319, 15329, 15331, + 15349, 15359, 15361, 15373, 15377, 15383, 15391, 15401, + 15413, 15427, 15439, 15443, 15451, 15461, 15467, 15473, + 15493, 15497, 15511, 15527, 15541, 15551, 15559, 15569, + 15581, 15583, 15601, 15607, 15619, 15629, 15641, 15643, + 15647, 15649, 15661, 15667, 15671, 15679, 15683, 15727, + 15731, 15733, 15737, 15739, 15749, 15761, 15767, 15773, + 15787, 15791, 15797, 15803, 15809, 15817, 15823, 15859, + 15877, 15881, 15887, 15889, 15901, 15907, 15913, 15919, + 15923, 15937, 15959, 15971, 15973, 15991, 16001, 16007, + 16033, 16057, 16061, 16063, 16067, 16069, 16073, 16087, + 16091, 16097, 16103, 16111, 16127, 16139, 16141, 16183, + 16187, 16189, 16193, 16217, 16223, 16229, 16231, 16249, + 16253, 16267, 16273, 16301, 16319, 16333, 16339, 16349, + 16361, 16363, 16369, 16381, 16411, 16417, 16421, 16427, + 16433, 16447, 16451, 16453, 16477, 16481, 16487, 16493, + 16519, 16529, 16547, 16553, 16561, 16567, 16573, 16603, + 16607, 16619, 16631, 16633, 16649, 16651, 16657, 16661, + 16673, 16691, 16693, 16699, 16703, 16729, 16741, 16747, + 16759, 16763, 16787, 16811, 16823, 16829, 16831, 16843, + 16871, 16879, 16883, 16889, 16901, 16903, 16921, 16927, + 16931, 16937, 16943, 16963, 16979, 16981, 16987, 16993, + 17011, 17021, 17027, 17029, 17033, 17041, 17047, 17053, + 17077, 17093, 17099, 17107, 17117, 17123, 17137, 17159, + 17167, 17183, 17189, 17191, 17203, 17207, 17209, 17231, + 17239, 17257, 17291, 17293, 17299, 17317, 17321, 17327, + 17333, 17341, 17351, 17359, 17377, 17383, 17387, 17389, + 17393, 17401, 17417, 17419, 17431, 17443, 17449, 17467, + 17471, 17477, 17483, 17489, 17491, 17497, 17509, 17519, + 17539, 17551, 17569, 17573, 17579, 17581, 17597, 17599, + 17609, 17623, 17627, 17657, 17659, 17669, 17681, 17683, + 17707, 17713, 17729, 17737, 17747, 17749, 17761, 17783, + 17789, 17791, 17807, 17827, 17837, 17839, 17851, 17863, }; diff --git a/deps/openssl/openssl/crypto/bn/bn_sqr.c b/deps/openssl/openssl/crypto/bn/bn_sqr.c index 44e7332acf..1f12a14e44 100644 --- a/deps/openssl/openssl/crypto/bn/bn_sqr.c +++ b/deps/openssl/openssl/crypto/bn/bn_sqr.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -82,14 +82,8 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) } rr->neg = 0; - /* - * If the most-significant half of the top word of 'a' is zero, then the - * square of 'a' will max-1 words. - */ - if (a->d[al - 1] == (a->d[al - 1] & BN_MASK2l)) - rr->top = max - 1; - else - rr->top = max; + rr->top = max; + bn_correct_top(rr); if (r != rr && BN_copy(r, rr) == NULL) goto err; diff --git a/deps/openssl/openssl/crypto/build.info b/deps/openssl/openssl/crypto/build.info index 916d24f66e..e693ebadcd 100644 --- a/deps/openssl/openssl/crypto/build.info +++ b/deps/openssl/openssl/crypto/build.info @@ -1,4 +1,3 @@ -{- use File::Spec::Functions qw/catdir catfile/; -} LIBS=../libcrypto SOURCE[../libcrypto]=\ cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c cpt_err.c \ diff --git a/deps/openssl/openssl/crypto/cast/asm/cast-586.pl b/deps/openssl/openssl/crypto/cast/asm/cast-586.pl index 9024b67e32..6beb9c5f25 100644 --- a/deps/openssl/openssl/crypto/cast/asm/cast-586.pl +++ b/deps/openssl/openssl/crypto/cast/asm/cast-586.pl @@ -7,7 +7,7 @@ # https://www.openssl.org/source/license.html -# This flag makes the inner loop one cycle longer, but generates +# This flag makes the inner loop one cycle longer, but generates # code that runs %30 faster on the pentium pro/II, 44% faster # of PIII, while only %7 slower on the pentium. # By default, this flag is on. diff --git a/deps/openssl/openssl/crypto/chacha/asm/chacha-armv4.pl b/deps/openssl/openssl/crypto/chacha/asm/chacha-armv4.pl index c90306e45c..b5e21e4938 100755 --- a/deps/openssl/openssl/crypto/chacha/asm/chacha-armv4.pl +++ b/deps/openssl/openssl/crypto/chacha/asm/chacha-armv4.pl @@ -15,7 +15,7 @@ # ==================================================================== # # December 2014 -# +# # ChaCha20 for ARMv4. # # Performance in cycles per byte out of large buffer. @@ -720,7 +720,7 @@ ChaCha20_neon: vadd.i32 $d2,$d1,$t0 @ counter+2 str @t[3], [sp,#4*(16+15)] mov @t[3],#10 - add @x[12],@x[12],#3 @ counter+3 + add @x[12],@x[12],#3 @ counter+3 b .Loop_neon .align 4 diff --git a/deps/openssl/openssl/crypto/chacha/asm/chacha-armv8.pl b/deps/openssl/openssl/crypto/chacha/asm/chacha-armv8.pl index db3776a2fc..f7e1074714 100755 --- a/deps/openssl/openssl/crypto/chacha/asm/chacha-armv8.pl +++ b/deps/openssl/openssl/crypto/chacha/asm/chacha-armv8.pl @@ -15,7 +15,7 @@ # ==================================================================== # # June 2015 -# +# # ChaCha20 for ARMv8. # # Performance in cycles per byte out of large buffer. @@ -201,7 +201,7 @@ ChaCha20_ctr32: mov $ctr,#10 subs $len,$len,#64 .Loop: - sub $ctr,$ctr,#1 + sub $ctr,$ctr,#1 ___ foreach (&ROUND(0, 4, 8,12)) { eval; } foreach (&ROUND(0, 5,10,15)) { eval; } diff --git a/deps/openssl/openssl/crypto/chacha/asm/chacha-ppc.pl b/deps/openssl/openssl/crypto/chacha/asm/chacha-ppc.pl index f972ee471a..181decdad9 100755 --- a/deps/openssl/openssl/crypto/chacha/asm/chacha-ppc.pl +++ b/deps/openssl/openssl/crypto/chacha/asm/chacha-ppc.pl @@ -15,7 +15,7 @@ # ==================================================================== # # October 2015 -# +# # ChaCha20 for PowerPC/AltiVec. # # Performance in cycles per byte out of large buffer. @@ -525,7 +525,7 @@ $code.=<<___; lwz @d[3],12($ctr) vadduwm @K[5],@K[4],@K[5] - vspltisw $twenty,-12 # synthesize constants + vspltisw $twenty,-12 # synthesize constants vspltisw $twelve,12 vspltisw $twenty5,-7 #vspltisw $seven,7 # synthesized in the loop diff --git a/deps/openssl/openssl/crypto/chacha/asm/chacha-x86.pl b/deps/openssl/openssl/crypto/chacha/asm/chacha-x86.pl index 61b328612b..932dec67e4 100755 --- a/deps/openssl/openssl/crypto/chacha/asm/chacha-x86.pl +++ b/deps/openssl/openssl/crypto/chacha/asm/chacha-x86.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -61,7 +61,7 @@ $ymm=1 if ($xmm && !$ymm && $ARGV[0] eq "win32" && $1>=10); # first version supporting AVX $ymm=1 if ($xmm && !$ymm && - `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9]\.[0-9]+)/ && + `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9]\.[0-9]+)/ && $2>=3.0); # first version supporting AVX $a="eax"; diff --git a/deps/openssl/openssl/crypto/chacha/build.info b/deps/openssl/openssl/crypto/chacha/build.info index ed1e01ae30..f99114c135 100644 --- a/deps/openssl/openssl/crypto/chacha/build.info +++ b/deps/openssl/openssl/crypto/chacha/build.info @@ -8,8 +8,6 @@ GENERATE[chacha-armv4.S]=asm/chacha-armv4.pl $(PERLASM_SCHEME) INCLUDE[chacha-armv4.o]=.. GENERATE[chacha-armv8.S]=asm/chacha-armv8.pl $(PERLASM_SCHEME) INCLUDE[chacha-armv8.o]=.. -GENERATE[chacha-s390x.S]=asm/chacha-s390x.pl $(PERLASM_SCHEME) -INCLUDE[chacha-s390x.o]=.. BEGINRAW[Makefile(unix)] ##### CHACHA assembler implementations diff --git a/deps/openssl/openssl/crypto/cms/cms_env.c b/deps/openssl/openssl/crypto/cms/cms_env.c index 8d45943530..fe5076ec02 100644 --- a/deps/openssl/openssl/crypto/cms/cms_env.c +++ b/deps/openssl/openssl/crypto/cms/cms_env.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -282,6 +282,7 @@ int CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pkey) CMSerr(CMS_F_CMS_RECIPIENTINFO_SET0_PKEY, CMS_R_NOT_KEY_TRANSPORT); return 0; } + EVP_PKEY_free(ri->d.ktri->pkey); ri->d.ktri->pkey = pkey; return 1; } diff --git a/deps/openssl/openssl/crypto/cms/cms_smime.c b/deps/openssl/openssl/crypto/cms/cms_smime.c index 7e7b6e5d4f..5dcf803f4b 100644 --- a/deps/openssl/openssl/crypto/cms/cms_smime.c +++ b/deps/openssl/openssl/crypto/cms/cms_smime.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -631,6 +631,7 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert) * all. */ else if (!cert || !CMS_RecipientInfo_ktri_cert_cmp(ri, cert)) { + EVP_PKEY_up_ref(pk); CMS_RecipientInfo_set0_pkey(ri, pk); r = CMS_RecipientInfo_decrypt(cms, ri); CMS_RecipientInfo_set0_pkey(ri, NULL); diff --git a/deps/openssl/openssl/crypto/conf/build.info b/deps/openssl/openssl/crypto/conf/build.info index 4438eb4262..ff367994ea 100644 --- a/deps/openssl/openssl/crypto/conf/build.info +++ b/deps/openssl/openssl/crypto/conf/build.info @@ -1,4 +1,4 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]= \ conf_err.c conf_lib.c conf_api.c conf_def.c conf_mod.c \ - conf_mall.c conf_sap.c + conf_mall.c conf_sap.c conf_ssl.c diff --git a/deps/openssl/openssl/crypto/conf/conf_api.c b/deps/openssl/openssl/crypto/conf/conf_api.c index 5535416ab3..79e682a847 100644 --- a/deps/openssl/openssl/crypto/conf/conf_api.c +++ b/deps/openssl/openssl/crypto/conf/conf_api.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -205,10 +205,14 @@ CONF_VALUE *_CONF_new_section(CONF *conf, const char *section) vv = lh_CONF_VALUE_insert(conf->data, v); OPENSSL_assert(vv == NULL); + if (lh_CONF_VALUE_error(conf->data) > 0) + goto err; return v; err: sk_CONF_VALUE_free(sk); + if (v != NULL) + OPENSSL_free(v->section); OPENSSL_free(v); return NULL; } diff --git a/deps/openssl/openssl/crypto/conf/conf_err.c b/deps/openssl/openssl/crypto/conf/conf_err.c index 0863bc4d36..19f480d5b3 100644 --- a/deps/openssl/openssl/crypto/conf/conf_err.c +++ b/deps/openssl/openssl/crypto/conf/conf_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -37,6 +37,7 @@ static ERR_STRING_DATA CONF_str_functs[] = { {ERR_FUNC(CONF_F_NCONF_LOAD_BIO), "NCONF_load_bio"}, {ERR_FUNC(CONF_F_NCONF_LOAD_FP), "NCONF_load_fp"}, {ERR_FUNC(CONF_F_NCONF_NEW), "NCONF_new"}, + {ERR_FUNC(CONF_F_SSL_MODULE_INIT), "ssl_module_init"}, {ERR_FUNC(CONF_F_STR_COPY), "str_copy"}, {0, NULL} }; @@ -57,6 +58,12 @@ static ERR_STRING_DATA CONF_str_reasons[] = { {ERR_REASON(CONF_R_NO_SECTION), "no section"}, {ERR_REASON(CONF_R_NO_SUCH_FILE), "no such file"}, {ERR_REASON(CONF_R_NO_VALUE), "no value"}, + {ERR_REASON(CONF_R_SSL_COMMAND_SECTION_EMPTY), + "ssl command section empty"}, + {ERR_REASON(CONF_R_SSL_COMMAND_SECTION_NOT_FOUND), + "ssl command section not found"}, + {ERR_REASON(CONF_R_SSL_SECTION_EMPTY), "ssl section empty"}, + {ERR_REASON(CONF_R_SSL_SECTION_NOT_FOUND), "ssl section not found"}, {ERR_REASON(CONF_R_UNABLE_TO_CREATE_NEW_SECTION), "unable to create new section"}, {ERR_REASON(CONF_R_UNKNOWN_MODULE_NAME), "unknown module name"}, diff --git a/deps/openssl/openssl/crypto/conf/conf_lcl.h b/deps/openssl/openssl/crypto/conf/conf_lcl.h new file mode 100644 index 0000000000..6e1f7fe00d --- /dev/null +++ b/deps/openssl/openssl/crypto/conf/conf_lcl.h @@ -0,0 +1,11 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +void conf_add_ssl_module(void); + diff --git a/deps/openssl/openssl/crypto/conf/conf_mall.c b/deps/openssl/openssl/crypto/conf/conf_mall.c index 4e7a434e0e..7e86948e89 100644 --- a/deps/openssl/openssl/crypto/conf/conf_mall.c +++ b/deps/openssl/openssl/crypto/conf/conf_mall.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -14,6 +14,7 @@ #include <openssl/x509.h> #include <openssl/asn1.h> #include <openssl/engine.h> +#include "conf_lcl.h" /* Load all OpenSSL builtin modules */ @@ -26,4 +27,5 @@ void OPENSSL_load_builtin_modules(void) ENGINE_add_conf_module(); #endif EVP_add_alg_module(); + conf_add_ssl_module(); } diff --git a/deps/openssl/openssl/crypto/conf/conf_ssl.c b/deps/openssl/openssl/crypto/conf/conf_ssl.c new file mode 100644 index 0000000000..015c46c6da --- /dev/null +++ b/deps/openssl/openssl/crypto/conf/conf_ssl.c @@ -0,0 +1,178 @@ +/* + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <stdio.h> +#include <string.h> +#include <openssl/conf.h> +#include <openssl/err.h> +#include "internal/sslconf.h" +#include "conf_lcl.h" + +/* + * SSL library configuration module placeholder. We load it here but defer + * all decisions about its contents to libssl. + */ + +struct ssl_conf_name_st { + /* Name of this set of commands */ + char *name; + /* List of commands */ + SSL_CONF_CMD *cmds; + /* Number of commands */ + size_t cmd_count; +}; + +struct ssl_conf_cmd_st { + /* Command */ + char *cmd; + /* Argument */ + char *arg; +}; + +static struct ssl_conf_name_st *ssl_names; +static size_t ssl_names_count; + +static void ssl_module_free(CONF_IMODULE *md) +{ + size_t i, j; + if (ssl_names == NULL) + return; + for (i = 0; i < ssl_names_count; i++) { + struct ssl_conf_name_st *tname = ssl_names + i; + + OPENSSL_free(tname->name); + for (j = 0; j < tname->cmd_count; j++) { + OPENSSL_free(tname->cmds[j].cmd); + OPENSSL_free(tname->cmds[j].arg); + } + OPENSSL_free(tname->cmds); + } + OPENSSL_free(ssl_names); + ssl_names = NULL; + ssl_names_count = 0; +} + +static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf) +{ + size_t i, j, cnt; + int rv = 0; + const char *ssl_conf_section; + STACK_OF(CONF_VALUE) *cmd_lists; + + ssl_conf_section = CONF_imodule_get_value(md); + cmd_lists = NCONF_get_section(cnf, ssl_conf_section); + if (sk_CONF_VALUE_num(cmd_lists) <= 0) { + if (cmd_lists == NULL) + CONFerr(CONF_F_SSL_MODULE_INIT, CONF_R_SSL_SECTION_NOT_FOUND); + else + CONFerr(CONF_F_SSL_MODULE_INIT, CONF_R_SSL_SECTION_EMPTY); + ERR_add_error_data(2, "section=", ssl_conf_section); + goto err; + } + cnt = sk_CONF_VALUE_num(cmd_lists); + ssl_names = OPENSSL_zalloc(sizeof(*ssl_names) * cnt); + ssl_names_count = cnt; + for (i = 0; i < ssl_names_count; i++) { + struct ssl_conf_name_st *ssl_name = ssl_names + i; + CONF_VALUE *sect = sk_CONF_VALUE_value(cmd_lists, (int)i); + STACK_OF(CONF_VALUE) *cmds = NCONF_get_section(cnf, sect->value); + + if (sk_CONF_VALUE_num(cmds) <= 0) { + if (cmds == NULL) + CONFerr(CONF_F_SSL_MODULE_INIT, + CONF_R_SSL_COMMAND_SECTION_NOT_FOUND); + else + CONFerr(CONF_F_SSL_MODULE_INIT, + CONF_R_SSL_COMMAND_SECTION_EMPTY); + ERR_add_error_data(4, "name=", sect->name, ", value=", sect->value); + goto err; + } + ssl_name->name = OPENSSL_strdup(sect->name); + if (ssl_name->name == NULL) + goto err; + cnt = sk_CONF_VALUE_num(cmds); + ssl_name->cmds = OPENSSL_zalloc(cnt * sizeof(struct ssl_conf_cmd_st)); + if (ssl_name->cmds == NULL) + goto err; + ssl_name->cmd_count = cnt; + for (j = 0; j < cnt; j++) { + const char *name; + CONF_VALUE *cmd_conf = sk_CONF_VALUE_value(cmds, (int)j); + struct ssl_conf_cmd_st *cmd = ssl_name->cmds + j; + + /* Skip any initial dot in name */ + name = strchr(cmd_conf->name, '.'); + if (name != NULL) + name++; + else + name = cmd_conf->name; + cmd->cmd = OPENSSL_strdup(name); + cmd->arg = OPENSSL_strdup(cmd_conf->value); + if (cmd->cmd == NULL || cmd->arg == NULL) + goto err; + } + + } + rv = 1; + err: + if (rv == 0) + ssl_module_free(md); + return rv; +} + +/* + * Returns the set of commands with index |idx| previously searched for via + * conf_ssl_name_find. Also stores the name of the set of commands in |*name| + * and the number of commands in the set in |*cnt|. + */ +const SSL_CONF_CMD *conf_ssl_get(size_t idx, const char **name, size_t *cnt) +{ + *name = ssl_names[idx].name; + *cnt = ssl_names[idx].cmd_count; + return ssl_names[idx].cmds; +} + +/* + * Search for the named set of commands given in |name|. On success return the + * index for the command set in |*idx|. + * Returns 1 on success or 0 on failure. + */ +int conf_ssl_name_find(const char *name, size_t *idx) +{ + size_t i; + const struct ssl_conf_name_st *nm; + + if (name == NULL) + return 0; + for (i = 0, nm = ssl_names; i < ssl_names_count; i++, nm++) { + if (strcmp(nm->name, name) == 0) { + *idx = i; + return 1; + } + } + return 0; +} + +/* + * Given a command set |cmd|, return details on the command at index |idx| which + * must be less than the number of commands in the set (as returned by + * conf_ssl_get). The name of the command will be returned in |*cmdstr| and the + * argument is returned in |*arg|. + */ +void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr, + char **arg) +{ + *cmdstr = cmd[idx].cmd; + *arg = cmd[idx].arg; +} + +void conf_add_ssl_module(void) +{ + CONF_module_add("ssl_conf", ssl_module_init, ssl_module_free); +} diff --git a/deps/openssl/openssl/crypto/cryptlib.c b/deps/openssl/openssl/crypto/cryptlib.c index d93bcd357b..3b878cd0c2 100644 --- a/deps/openssl/openssl/crypto/cryptlib.c +++ b/deps/openssl/openssl/crypto/cryptlib.c @@ -23,29 +23,97 @@ extern unsigned int OPENSSL_ia32cap_P[4]; # if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM) && !defined(I386_ONLY) -#include <stdio.h> + +/* + * Purpose of these minimalistic and character-type-agnostic subroutines + * is to break dependency on MSVCRT (on Windows) and locale. This makes + * OPENSSL_cpuid_setup safe to use as "constructor". "Character-type- + * agnostic" means that they work with either wide or 8-bit characters, + * exploiting the fact that first 127 characters can be simply casted + * between the sets, while the rest would be simply rejected by ossl_is* + * subroutines. + */ +# ifdef _WIN32 +typedef WCHAR variant_char; + +static variant_char *ossl_getenv(const char *name) +{ + /* + * Since we pull only one environment variable, it's simpler to + * to just ignore |name| and use equivalent wide-char L-literal. + * As well as to ignore excessively long values... + */ + static WCHAR value[48]; + DWORD len = GetEnvironmentVariableW(L"OPENSSL_ia32cap", value, 48); + + return (len > 0 && len < 48) ? value : NULL; +} +# else +typedef char variant_char; +# define ossl_getenv getenv +# endif + +static int todigit(variant_char c) +{ + if (c >= '0' && c <= '9') + return c - '0'; + else if (c >= 'A' && c <= 'F') + return c - 'A' + 10; + else if (c >= 'a' && c <= 'f') + return c - 'a' + 10; + + /* return largest base value to make caller terminate the loop */ + return 16; +} + +static uint64_t ossl_strtouint64(const variant_char *str) +{ + uint64_t ret = 0; + unsigned int digit, base = 10; + + if (*str == '0') { + base = 8, str++; + if (*str == 'x' || *str == 'X') + base = 16, str++; + } + + while((digit = todigit(*str++)) < base) + ret = ret * base + digit; + + return ret; +} + +static variant_char *ossl_strchr(const variant_char *str, char srch) +{ variant_char c; + + while((c = *str)) { + if (c == srch) + return (variant_char *)str; + str++; + } + + return NULL; +} + # define OPENSSL_CPUID_SETUP typedef uint64_t IA32CAP; + void OPENSSL_cpuid_setup(void) { static int trigger = 0; IA32CAP OPENSSL_ia32_cpuid(unsigned int *); IA32CAP vec; - char *env; + const variant_char *env; if (trigger) return; trigger = 1; - if ((env = getenv("OPENSSL_ia32cap"))) { + if ((env = ossl_getenv("OPENSSL_ia32cap")) != NULL) { int off = (env[0] == '~') ? 1 : 0; -# if defined(_WIN32) - if (!sscanf(env + off, "%I64i", &vec)) - vec = strtoul(env + off, NULL, 0); -# else - if (!sscanf(env + off, "%lli", (long long *)&vec)) - vec = strtoul(env + off, NULL, 0); -# endif + + vec = ossl_strtouint64(env + off); + if (off) { IA32CAP mask = vec; vec = OPENSSL_ia32_cpuid(OPENSSL_ia32cap_P) & ~mask; @@ -64,15 +132,17 @@ void OPENSSL_cpuid_setup(void) vec = OPENSSL_ia32_cpuid(OPENSSL_ia32cap_P); } - if ((env = strchr(env, ':'))) { - unsigned int vecx; + if ((env = ossl_strchr(env, ':')) != NULL) { + IA32CAP vecx; + env++; off = (env[0] == '~') ? 1 : 0; - vecx = strtoul(env + off, NULL, 0); - if (off) - OPENSSL_ia32cap_P[2] &= ~vecx; - else - OPENSSL_ia32cap_P[2] = vecx; + vecx = ossl_strtouint64(env + off); + if (off) { + OPENSSL_ia32cap_P[2] &= ~(unsigned int)vecx; + } else { + OPENSSL_ia32cap_P[2] = (unsigned int)vecx; + } } else { OPENSSL_ia32cap_P[2] = 0; } @@ -128,10 +198,14 @@ int OPENSSL_isservice(void) if (_OPENSSL_isservice.p == NULL) { HANDLE mod = GetModuleHandle(NULL); + FARPROC f; + if (mod != NULL) - _OPENSSL_isservice.f = GetProcAddress(mod, "_OPENSSL_isservice"); - if (_OPENSSL_isservice.p == NULL) + f = GetProcAddress(mod, "_OPENSSL_isservice"); + if (f == NULL) _OPENSSL_isservice.p = (void *)-1; + else + _OPENSSL_isservice.f = f; } if (_OPENSSL_isservice.p != (void *)-1) diff --git a/deps/openssl/openssl/crypto/dh/dh_key.c b/deps/openssl/openssl/crypto/dh/dh_key.c index 58003d7087..b53a063244 100644 --- a/deps/openssl/openssl/crypto/dh/dh_key.c +++ b/deps/openssl/openssl/crypto/dh/dh_key.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/crypto/dh/dh_meth.c b/deps/openssl/openssl/crypto/dh/dh_meth.c index ce6114c133..59c4d7e967 100644 --- a/deps/openssl/openssl/crypto/dh/dh_meth.c +++ b/deps/openssl/openssl/crypto/dh/dh_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -75,7 +75,7 @@ int DH_meth_set1_name(DH_METHOD *dhm, const char *name) return 1; } -int DH_meth_get_flags(DH_METHOD *dhm) +int DH_meth_get_flags(const DH_METHOD *dhm) { return dhm->flags; } diff --git a/deps/openssl/openssl/crypto/dllmain.c b/deps/openssl/openssl/crypto/dllmain.c index 2d96787025..91904aad98 100644 --- a/deps/openssl/openssl/crypto/dllmain.c +++ b/deps/openssl/openssl/crypto/dllmain.c @@ -57,3 +57,4 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) return (TRUE); } #endif + diff --git a/deps/openssl/openssl/crypto/dsa/dsa_err.c b/deps/openssl/openssl/crypto/dsa/dsa_err.c index b8f0af4662..132008803e 100644 --- a/deps/openssl/openssl/crypto/dsa/dsa_err.c +++ b/deps/openssl/openssl/crypto/dsa/dsa_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -40,6 +40,7 @@ static ERR_STRING_DATA DSA_str_functs[] = { {ERR_FUNC(DSA_F_DSA_SIG_NEW), "DSA_SIG_new"}, {ERR_FUNC(DSA_F_OLD_DSA_PRIV_DECODE), "old_dsa_priv_decode"}, {ERR_FUNC(DSA_F_PKEY_DSA_CTRL), "pkey_dsa_ctrl"}, + {ERR_FUNC(DSA_F_PKEY_DSA_CTRL_STR), "pkey_dsa_ctrl_str"}, {ERR_FUNC(DSA_F_PKEY_DSA_KEYGEN), "pkey_dsa_keygen"}, {0, NULL} }; diff --git a/deps/openssl/openssl/crypto/dsa/dsa_gen.c b/deps/openssl/openssl/crypto/dsa/dsa_gen.c index e58ad8d70d..46f4f01ee0 100644 --- a/deps/openssl/openssl/crypto/dsa/dsa_gen.c +++ b/deps/openssl/openssl/crypto/dsa/dsa_gen.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -64,9 +64,16 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, /* invalid q size */ return 0; - if (evpmd == NULL) - /* use SHA1 as default */ - evpmd = EVP_sha1(); + if (evpmd == NULL) { + if (qsize == SHA_DIGEST_LENGTH) + evpmd = EVP_sha1(); + else if (qsize == SHA224_DIGEST_LENGTH) + evpmd = EVP_sha224(); + else + evpmd = EVP_sha256(); + } else { + qsize = EVP_MD_size(evpmd); + } if (bits < 512) bits = 512; diff --git a/deps/openssl/openssl/crypto/dsa/dsa_meth.c b/deps/openssl/openssl/crypto/dsa/dsa_meth.c index f0188f2007..04203780c4 100644 --- a/deps/openssl/openssl/crypto/dsa/dsa_meth.c +++ b/deps/openssl/openssl/crypto/dsa/dsa_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -83,7 +83,7 @@ int DSA_meth_set1_name(DSA_METHOD *dsam, const char *name) return 1; } -int DSA_meth_get_flags(DSA_METHOD *dsam) +int DSA_meth_get_flags(const DSA_METHOD *dsam) { return dsam->flags; } diff --git a/deps/openssl/openssl/crypto/dsa/dsa_ossl.c b/deps/openssl/openssl/crypto/dsa/dsa_ossl.c index 7f48cf2e33..4aa49f554a 100644 --- a/deps/openssl/openssl/crypto/dsa/dsa_ossl.c +++ b/deps/openssl/openssl/crypto/dsa/dsa_ossl.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -61,19 +61,13 @@ const DSA_METHOD *DSA_OpenSSL(void) static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { BIGNUM *kinv = NULL; - BIGNUM *m; - BIGNUM *xr; + BIGNUM *m, *blind, *blindm, *tmp; BN_CTX *ctx = NULL; int reason = ERR_R_BN_LIB; DSA_SIG *ret = NULL; int rv = 0; - m = BN_new(); - xr = BN_new(); - if (m == NULL || xr == NULL) - goto err; - - if (!dsa->p || !dsa->q || !dsa->g) { + if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) { reason = DSA_R_MISSING_PARAMETERS; goto err; } @@ -89,6 +83,13 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) ctx = BN_CTX_new(); if (ctx == NULL) goto err; + m = BN_CTX_get(ctx); + blind = BN_CTX_get(ctx); + blindm = BN_CTX_get(ctx); + tmp = BN_CTX_get(ctx); + if (tmp == NULL) + goto err; + redo: if (!dsa_sign_setup(dsa, ctx, &kinv, &ret->r, dgst, dlen)) goto err; @@ -103,17 +104,50 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) if (BN_bin2bn(dgst, dlen, m) == NULL) goto err; - /* Compute s = inv(k) (m + xr) mod q */ - if (!BN_mod_mul(xr, dsa->priv_key, ret->r, dsa->q, ctx)) - goto err; /* s = xr */ - if (!BN_add(ret->s, xr, m)) - goto err; /* s = m + xr */ - if (BN_cmp(ret->s, dsa->q) > 0) - if (!BN_sub(ret->s, ret->s, dsa->q)) + /* + * The normal signature calculation is: + * + * s := k^-1 * (m + r * priv_key) mod q + * + * We will blind this to protect against side channel attacks + * + * s := blind^-1 * k^-1 * (blind * m + blind * r * priv_key) mod q + */ + + /* Generate a blinding value */ + do { + if (!BN_rand(blind, BN_num_bits(dsa->q) - 1, BN_RAND_TOP_ANY, + BN_RAND_BOTTOM_ANY)) goto err; + } while (BN_is_zero(blind)); + BN_set_flags(blind, BN_FLG_CONSTTIME); + BN_set_flags(blindm, BN_FLG_CONSTTIME); + BN_set_flags(tmp, BN_FLG_CONSTTIME); + + /* tmp := blind * priv_key * r mod q */ + if (!BN_mod_mul(tmp, blind, dsa->priv_key, dsa->q, ctx)) + goto err; + if (!BN_mod_mul(tmp, tmp, ret->r, dsa->q, ctx)) + goto err; + + /* blindm := blind * m mod q */ + if (!BN_mod_mul(blindm, blind, m, dsa->q, ctx)) + goto err; + + /* s : = (blind * priv_key * r) + (blind * m) mod q */ + if (!BN_mod_add_quick(ret->s, tmp, blindm, dsa->q)) + goto err; + + /* s := s * k^-1 mod q */ if (!BN_mod_mul(ret->s, ret->s, kinv, dsa->q, ctx)) goto err; + /* s:= s * blind^-1 mod q */ + if (BN_mod_inverse(blind, blind, dsa->q, ctx) == NULL) + goto err; + if (!BN_mod_mul(ret->s, ret->s, blind, dsa->q, ctx)) + goto err; + /* * Redo if r or s is zero as required by FIPS 186-3: this is very * unlikely. @@ -130,8 +164,6 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) ret = NULL; } BN_CTX_free(ctx); - BN_clear_free(m); - BN_clear_free(xr); BN_clear_free(kinv); return ret; } diff --git a/deps/openssl/openssl/crypto/dsa/dsa_pmeth.c b/deps/openssl/openssl/crypto/dsa/dsa_pmeth.c index 95f088a5ec..d606316954 100644 --- a/deps/openssl/openssl/crypto/dsa/dsa_pmeth.c +++ b/deps/openssl/openssl/crypto/dsa/dsa_pmeth.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -76,13 +76,8 @@ static int pkey_dsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, DSA_PKEY_CTX *dctx = ctx->data; DSA *dsa = ctx->pkey->pkey.dsa; - if (dctx->md) { - if (tbslen != (size_t)EVP_MD_size(dctx->md)) - return 0; - } else { - if (tbslen != SHA_DIGEST_LENGTH) - return 0; - } + if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md)) + return 0; ret = DSA_sign(0, tbs, tbslen, sig, &sltmp, dsa); @@ -100,13 +95,8 @@ static int pkey_dsa_verify(EVP_PKEY_CTX *ctx, DSA_PKEY_CTX *dctx = ctx->data; DSA *dsa = ctx->pkey->pkey.dsa; - if (dctx->md) { - if (tbslen != (size_t)EVP_MD_size(dctx->md)) - return 0; - } else { - if (tbslen != SHA_DIGEST_LENGTH) - return 0; - } + if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md)) + return 0; ret = DSA_verify(0, tbs, tbslen, sig, siglen, dsa); @@ -187,9 +177,15 @@ static int pkey_dsa_ctrl_str(EVP_PKEY_CTX *ctx, NULL); } if (strcmp(type, "dsa_paramgen_md") == 0) { + const EVP_MD *md = EVP_get_digestbyname(value); + + if (md == NULL) { + DSAerr(DSA_F_PKEY_DSA_CTRL_STR, DSA_R_INVALID_DIGEST_TYPE); + return 0; + } return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, EVP_PKEY_CTRL_DSA_PARAMGEN_MD, 0, - (void *)EVP_get_digestbyname(value)); + (void *)md); } return -2; } diff --git a/deps/openssl/openssl/crypto/dso/dso_dlfcn.c b/deps/openssl/openssl/crypto/dso/dso_dlfcn.c index a4b0cdd95b..e01425bc75 100644 --- a/deps/openssl/openssl/crypto/dso/dso_dlfcn.c +++ b/deps/openssl/openssl/crypto/dso/dso_dlfcn.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -26,7 +26,7 @@ # endif # include <dlfcn.h> # define HAVE_DLINFO 1 -# if defined(_AIX) || defined(__CYGWIN__) || \ +# if defined(__CYGWIN__) || \ defined(__SCO_VERSION__) || defined(_SCO_ELF) || \ (defined(__osf__) && !defined(RTLD_NEXT)) || \ (defined(__OpenBSD__) && !defined(RTLD_SELF)) || \ @@ -308,6 +308,76 @@ static int dladdr(void *address, Dl_info *dl) } # endif /* __sgi */ +# ifdef _AIX +/*- + * See IBM's AIX Version 7.2, Technical Reference: + * Base Operating System and Extensions, Volume 1 and 2 + * https://www.ibm.com/support/knowledgecenter/ssw_aix_72/com.ibm.aix.base/technicalreferences.htm + */ +# include <sys/ldr.h> +# include <errno.h> +/* ~ 64 * (sizeof(struct ld_info) + _XOPEN_PATH_MAX + _XOPEN_NAME_MAX) */ +# define DLFCN_LDINFO_SIZE 86976 +typedef struct Dl_info { + const char *dli_fname; +} Dl_info; +/* + * This dladdr()-implementation will also find the ptrgl (Pointer Glue) virtual + * address of a function, which is just located in the DATA segment instead of + * the TEXT segment. + */ +static int dladdr(void *ptr, Dl_info *dl) +{ + uintptr_t addr = (uintptr_t)ptr; + unsigned int found = 0; + struct ld_info *ldinfos, *next_ldi, *this_ldi; + + if ((ldinfos = (struct ld_info *)OPENSSL_malloc(DLFCN_LDINFO_SIZE)) == NULL) { + errno = ENOMEM; + dl->dli_fname = NULL; + return 0; + } + + if ((loadquery(L_GETINFO, (void *)ldinfos, DLFCN_LDINFO_SIZE)) < 0) { + /*- + * Error handling is done through errno and dlerror() reading errno: + * ENOMEM (ldinfos buffer is too small), + * EINVAL (invalid flags), + * EFAULT (invalid ldinfos ptr) + */ + OPENSSL_free((void *)ldinfos); + dl->dli_fname = NULL; + return 0; + } + next_ldi = ldinfos; + + do { + this_ldi = next_ldi; + if (((addr >= (uintptr_t)this_ldi->ldinfo_textorg) + && (addr < ((uintptr_t)this_ldi->ldinfo_textorg + + this_ldi->ldinfo_textsize))) + || ((addr >= (uintptr_t)this_ldi->ldinfo_dataorg) + && (addr < ((uintptr_t)this_ldi->ldinfo_dataorg + + this_ldi->ldinfo_datasize)))) { + found = 1; + /* + * Ignoring the possibility of a member name and just returning + * the path name. See docs: sys/ldr.h, loadquery() and + * dlopen()/RTLD_MEMBER. + */ + if ((dl->dli_fname = + OPENSSL_strdup(this_ldi->ldinfo_filename)) == NULL) + errno = ENOMEM; + } else { + next_ldi = + (struct ld_info *)((uintptr_t)this_ldi + this_ldi->ldinfo_next); + } + } while (this_ldi->ldinfo_next && !found); + OPENSSL_free((void *)ldinfos); + return (found && dl->dli_fname != NULL); +} +# endif /* _AIX */ + static int dlfcn_pathbyaddr(void *addr, char *path, int sz) { # ifdef HAVE_DLINFO @@ -326,12 +396,19 @@ static int dlfcn_pathbyaddr(void *addr, char *path, int sz) if (dladdr(addr, &dli)) { len = (int)strlen(dli.dli_fname); - if (sz <= 0) + if (sz <= 0) { +# ifdef _AIX + OPENSSL_free((void *)dli.dli_fname); +# endif return len + 1; + } if (len >= sz) len = sz - 1; memcpy(path, dli.dli_fname, len); path[len++] = 0; +# ifdef _AIX + OPENSSL_free((void *)dli.dli_fname); +# endif return len; } diff --git a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-armv4.pl b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-armv4.pl index 2314b75244..4eb4c68977 100755 --- a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-armv4.pl +++ b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-armv4.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -894,13 +894,13 @@ ecp_nistz256_scatter_w7: .Loop_scatter_w7: ldr $mask,[$inp],#4 subs $index,$index,#1 - strb $mask,[$out,#64*0-1] + strb $mask,[$out,#64*0] mov $mask,$mask,lsr#8 - strb $mask,[$out,#64*1-1] + strb $mask,[$out,#64*1] mov $mask,$mask,lsr#8 - strb $mask,[$out,#64*2-1] + strb $mask,[$out,#64*2] mov $mask,$mask,lsr#8 - strb $mask,[$out,#64*3-1] + strb $mask,[$out,#64*3] add $out,$out,#64*4 bne .Loop_scatter_w7 @@ -1633,7 +1633,7 @@ ___ $code.=<<___; .Ladd_done: add sp,sp,#32*18+16+16 @ +16 means "skip even over saved r0-r3" -#if __ARM_ARCH__>=5 || defined(__thumb__) +#if __ARM_ARCH__>=5 || !defined(__thumb__) ldmia sp!,{r4-r12,pc} #else ldmia sp!,{r4-r12,lr} diff --git a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-armv8.pl b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-armv8.pl index d93c4fe957..2a39675bfd 100644 --- a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-armv8.pl +++ b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-armv8.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -660,7 +660,7 @@ __ecp_nistz256_div_by_2: adc $ap,xzr,xzr // zap $ap tst $acc0,#1 // is a even? - csel $acc0,$acc0,$t0,eq // ret = even ? a : a+modulus + csel $acc0,$acc0,$t0,eq // ret = even ? a : a+modulus csel $acc1,$acc1,$t1,eq csel $acc2,$acc2,$t2,eq csel $acc3,$acc3,$t3,eq @@ -1477,21 +1477,21 @@ ecp_nistz256_scatter_w7: prfm pstl1strm,[$out,#4096+64*5] prfm pstl1strm,[$out,#4096+64*6] prfm pstl1strm,[$out,#4096+64*7] - strb w3,[$out,#64*0-1] + strb w3,[$out,#64*0] lsr x3,x3,#8 - strb w3,[$out,#64*1-1] + strb w3,[$out,#64*1] lsr x3,x3,#8 - strb w3,[$out,#64*2-1] + strb w3,[$out,#64*2] lsr x3,x3,#8 - strb w3,[$out,#64*3-1] + strb w3,[$out,#64*3] lsr x3,x3,#8 - strb w3,[$out,#64*4-1] + strb w3,[$out,#64*4] lsr x3,x3,#8 - strb w3,[$out,#64*5-1] + strb w3,[$out,#64*5] lsr x3,x3,#8 - strb w3,[$out,#64*6-1] + strb w3,[$out,#64*6] lsr x3,x3,#8 - strb w3,[$out,#64*7-1] + strb w3,[$out,#64*7] add $out,$out,#64*8 b.ne .Loop_scatter_w7 diff --git a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-avx2.pl b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-avx2.pl index 3bdd2cf13f..edd7d01281 100755 --- a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-avx2.pl +++ b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-avx2.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -67,7 +67,7 @@ if (!$addx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $addx = ($1>=12); } -if (!$addx && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9])\.([0-9]+)/) { +if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9])\.([0-9]+)/) { my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10 $avx = ($ver>=3.0) + ($ver>=3.01); $addx = ($ver>=3.03); diff --git a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-sparcv9.pl b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-sparcv9.pl index ee11069459..0c1af95b13 100755 --- a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-sparcv9.pl +++ b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-sparcv9.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -1531,13 +1531,13 @@ ecp_nistz256_scatter_w7: ld [$inp],%l0 add $inp,4,$inp subcc $index,1,$index - stb %l0,[$out+64*0-1] + stb %l0,[$out+64*0] srl %l0,8,%l1 - stb %l1,[$out+64*1-1] + stb %l1,[$out+64*1] srl %l0,16,%l2 - stb %l2,[$out+64*2-1] + stb %l2,[$out+64*2] srl %l0,24,%l3 - stb %l3,[$out+64*3-1] + stb %l3,[$out+64*3] bne .Loop_scatter_w7 add $out,64*4,$out @@ -1874,7 +1874,7 @@ $code.=<<___ if ($i<3); ldx [$bp+8*($i+1)],$bi ! bp[$i+1] ___ $code.=<<___; - addcc $acc1,$t0,$acc1 ! accumulate high parts of multiplication + addcc $acc1,$t0,$acc1 ! accumulate high parts of multiplication sllx $acc0,32,$t0 addxccc $acc2,$t1,$acc2 srlx $acc0,32,$t1 diff --git a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-x86.pl b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-x86.pl index f637c844c4..b3bec23228 100755 --- a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-x86.pl +++ b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-x86.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -443,7 +443,7 @@ for(1..37) { &mov (&DWP(20,"esp"),"eax"); &mov (&DWP(24,"esp"),"eax"); &mov (&DWP(28,"esp"),"eax"); - + &call ("_ecp_nistz256_sub"); &stack_pop(8); @@ -1179,7 +1179,7 @@ for ($i=0;$i<7;$i++) { &mov ("esi",&wparam(1)); &mov ("ebp",&wparam(2)); - &lea ("edi",&DWP(-1,"edi","ebp")); + &lea ("edi",&DWP(0,"edi","ebp")); &mov ("ebp",64/4); &set_label("scatter_w7_loop"); &mov ("eax",&DWP(0,"esi")); diff --git a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-x86_64.pl b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-x86_64.pl index 183137e5f0..714e852a18 100755 --- a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-x86_64.pl +++ b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-x86_64.pl @@ -3051,8 +3051,8 @@ ___ ######################################################################## # Convert ecp_nistz256_table.c to layout expected by ecp_nistz_gather_w7 # -open TABLE,"<ecp_nistz256_table.c" or -open TABLE,"<${dir}../ecp_nistz256_table.c" or +open TABLE,"<ecp_nistz256_table.c" or +open TABLE,"<${dir}../ecp_nistz256_table.c" or die "failed to open ecp_nistz256_table.c:",$!; use integer; diff --git a/deps/openssl/openssl/crypto/ec/ec2_smpl.c b/deps/openssl/openssl/crypto/ec/ec2_smpl.c index cfeef5fc74..28b91d5102 100644 --- a/deps/openssl/openssl/crypto/ec/ec2_smpl.c +++ b/deps/openssl/openssl/crypto/ec/ec2_smpl.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -330,6 +330,7 @@ int ec_GF2m_simple_point_copy(EC_POINT *dest, const EC_POINT *src) if (!BN_copy(dest->Z, src->Z)) return 0; dest->Z_is_one = src->Z_is_one; + dest->curve_name = src->curve_name; return 1; } diff --git a/deps/openssl/openssl/crypto/ec/ec_ameth.c b/deps/openssl/openssl/crypto/ec/ec_ameth.c index b66adf2bbc..f8f1e2c842 100644 --- a/deps/openssl/openssl/crypto/ec/ec_ameth.c +++ b/deps/openssl/openssl/crypto/ec/ec_ameth.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -92,19 +92,19 @@ static int eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) static EC_KEY *eckey_type2param(int ptype, const void *pval) { EC_KEY *eckey = NULL; + EC_GROUP *group = NULL; + if (ptype == V_ASN1_SEQUENCE) { const ASN1_STRING *pstr = pval; - const unsigned char *pm = NULL; - int pmlen; - pm = pstr->data; - pmlen = pstr->length; + const unsigned char *pm = pstr->data; + int pmlen = pstr->length; + if ((eckey = d2i_ECParameters(NULL, &pm, pmlen)) == NULL) { ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR); goto ecerr; } } else if (ptype == V_ASN1_OBJECT) { const ASN1_OBJECT *poid = pval; - EC_GROUP *group; /* * type == V_ASN1_OBJECT => the parameters are given by an asn1 OID @@ -129,6 +129,7 @@ static EC_KEY *eckey_type2param(int ptype, const void *pval) ecerr: EC_KEY_free(eckey); + EC_GROUP_free(group); return NULL; } diff --git a/deps/openssl/openssl/crypto/ec/ec_curve.c b/deps/openssl/openssl/crypto/ec/ec_curve.c index f8a3846fd5..b022528be2 100644 --- a/deps/openssl/openssl/crypto/ec/ec_curve.c +++ b/deps/openssl/openssl/crypto/ec/ec_curve.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -3036,6 +3036,8 @@ static EC_GROUP *ec_group_new_from_data(const ec_list_element curve) } #endif + EC_GROUP_set_curve_name(group, curve.nid); + if ((P = EC_POINT_new(group)) == NULL) { ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB); goto err; @@ -3101,8 +3103,6 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int nid) return NULL; } - EC_GROUP_set_curve_name(ret, nid); - return ret; } diff --git a/deps/openssl/openssl/crypto/ec/ec_lcl.h b/deps/openssl/openssl/crypto/ec/ec_lcl.h index ded35a72a0..d8141704cf 100644 --- a/deps/openssl/openssl/crypto/ec/ec_lcl.h +++ b/deps/openssl/openssl/crypto/ec/ec_lcl.h @@ -1,5 +1,5 @@ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -269,6 +269,8 @@ struct ec_key_st { struct ec_point_st { const EC_METHOD *meth; + /* NID for the curve if known */ + int curve_name; /* * All members except 'meth' are handled by the method functions, even if * they appear generic @@ -281,6 +283,20 @@ struct ec_point_st { * special case */ }; + +static ossl_inline int ec_point_is_compat(const EC_POINT *point, + const EC_GROUP *group) +{ + if (group->meth != point->meth + || (group->curve_name != 0 + && point->curve_name != 0 + && group->curve_name != point->curve_name)) + return 0; + + return 1; +} + + NISTP224_PRE_COMP *EC_nistp224_pre_comp_dup(NISTP224_PRE_COMP *); NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *); NISTP521_PRE_COMP *EC_nistp521_pre_comp_dup(NISTP521_PRE_COMP *); diff --git a/deps/openssl/openssl/crypto/ec/ec_lib.c b/deps/openssl/openssl/crypto/ec/ec_lib.c index 7cb4bfee28..e256e4e511 100644 --- a/deps/openssl/openssl/crypto/ec/ec_lib.c +++ b/deps/openssl/openssl/crypto/ec/ec_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -140,6 +140,8 @@ int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src) if (dest == src) return 1; + dest->curve_name = src->curve_name; + /* Copy precomputed */ dest->pre_comp_type = src->pre_comp_type; switch (src->pre_comp_type) { @@ -202,7 +204,6 @@ int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src) return 0; } - dest->curve_name = src->curve_name; dest->asn1_flag = src->asn1_flag; dest->asn1_form = src->asn1_form; @@ -563,6 +564,7 @@ EC_POINT *EC_POINT_new(const EC_GROUP *group) } ret->meth = group->meth; + ret->curve_name = group->curve_name; if (!ret->meth->point_init(ret)) { OPENSSL_free(ret); @@ -600,7 +602,10 @@ int EC_POINT_copy(EC_POINT *dest, const EC_POINT *src) ECerr(EC_F_EC_POINT_COPY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (dest->meth != src->meth) { + if (dest->meth != src->meth + || (dest->curve_name != src->curve_name + && dest->curve_name != 0 + && src->curve_name != 0)) { ECerr(EC_F_EC_POINT_COPY, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -657,7 +662,7 @@ int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS); return 0; @@ -676,7 +681,7 @@ int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS); return 0; @@ -694,7 +699,7 @@ int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS); return 0; @@ -720,7 +725,7 @@ int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M, EC_R_INCOMPATIBLE_OBJECTS); return 0; @@ -746,7 +751,7 @@ int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS); return 0; @@ -764,7 +769,7 @@ int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GF2M, EC_R_INCOMPATIBLE_OBJECTS); return 0; @@ -780,8 +785,8 @@ int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, ECerr(EC_F_EC_POINT_ADD, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if ((group->meth != r->meth) || (r->meth != a->meth) - || (a->meth != b->meth)) { + if (!ec_point_is_compat(r, group) || !ec_point_is_compat(a, group) + || !ec_point_is_compat(b, group)) { ECerr(EC_F_EC_POINT_ADD, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -795,7 +800,7 @@ int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, ECerr(EC_F_EC_POINT_DBL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if ((group->meth != r->meth) || (r->meth != a->meth)) { + if (!ec_point_is_compat(r, group) || !ec_point_is_compat(a, group)) { ECerr(EC_F_EC_POINT_DBL, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -808,7 +813,7 @@ int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx) ECerr(EC_F_EC_POINT_INVERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != a->meth) { + if (!ec_point_is_compat(a, group)) { ECerr(EC_F_EC_POINT_INVERT, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -822,7 +827,7 @@ int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_IS_AT_INFINITY, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -843,7 +848,7 @@ int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, ECerr(EC_F_EC_POINT_IS_ON_CURVE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_IS_ON_CURVE, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -857,7 +862,7 @@ int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, ECerr(EC_F_EC_POINT_CMP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return -1; } - if ((group->meth != a->meth) || (a->meth != b->meth)) { + if (!ec_point_is_compat(a, group) || !ec_point_is_compat(b, group)) { ECerr(EC_F_EC_POINT_CMP, EC_R_INCOMPATIBLE_OBJECTS); return -1; } @@ -870,7 +875,7 @@ int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) ECerr(EC_F_EC_POINT_MAKE_AFFINE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_MAKE_AFFINE, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -887,7 +892,7 @@ int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, return 0; } for (i = 0; i < num; i++) { - if (group->meth != points[i]->meth) { + if (!ec_point_is_compat(points[i], group)) { ECerr(EC_F_EC_POINTS_MAKE_AFFINE, EC_R_INCOMPATIBLE_OBJECTS); return 0; } diff --git a/deps/openssl/openssl/crypto/ec/ec_mult.c b/deps/openssl/openssl/crypto/ec/ec_mult.c index b39777fbf2..56c7767772 100644 --- a/deps/openssl/openssl/crypto/ec/ec_mult.c +++ b/deps/openssl/openssl/crypto/ec/ec_mult.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -105,6 +105,224 @@ void EC_ec_pre_comp_free(EC_PRE_COMP *pre) OPENSSL_free(pre); } +#define EC_POINT_BN_set_flags(P, flags) do { \ + BN_set_flags((P)->X, (flags)); \ + BN_set_flags((P)->Y, (flags)); \ + BN_set_flags((P)->Z, (flags)); \ +} while(0) + +/*- + * This functions computes (in constant time) a point multiplication over the + * EC group. + * + * At a high level, it is Montgomery ladder with conditional swaps. + * + * It performs either a fixed scalar point multiplication + * (scalar * generator) + * when point is NULL, or a generic scalar point multiplication + * (scalar * point) + * when point is not NULL. + * + * scalar should be in the range [0,n) otherwise all constant time bets are off. + * + * NB: This says nothing about EC_POINT_add and EC_POINT_dbl, + * which of course are not constant time themselves. + * + * The product is stored in r. + * + * Returns 1 on success, 0 otherwise. + */ +static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, + const BIGNUM *scalar, const EC_POINT *point, + BN_CTX *ctx) +{ + int i, cardinality_bits, group_top, kbit, pbit, Z_is_one; + EC_POINT *s = NULL; + BIGNUM *k = NULL; + BIGNUM *lambda = NULL; + BIGNUM *cardinality = NULL; + BN_CTX *new_ctx = NULL; + int ret = 0; + + if (ctx == NULL && (ctx = new_ctx = BN_CTX_secure_new()) == NULL) + return 0; + + BN_CTX_start(ctx); + + s = EC_POINT_new(group); + if (s == NULL) + goto err; + + if (point == NULL) { + if (!EC_POINT_copy(s, group->generator)) + goto err; + } else { + if (!EC_POINT_copy(s, point)) + goto err; + } + + EC_POINT_BN_set_flags(s, BN_FLG_CONSTTIME); + + cardinality = BN_CTX_get(ctx); + lambda = BN_CTX_get(ctx); + k = BN_CTX_get(ctx); + if (k == NULL || !BN_mul(cardinality, group->order, group->cofactor, ctx)) + goto err; + + /* + * Group cardinalities are often on a word boundary. + * So when we pad the scalar, some timing diff might + * pop if it needs to be expanded due to carries. + * So expand ahead of time. + */ + cardinality_bits = BN_num_bits(cardinality); + group_top = bn_get_top(cardinality); + if ((bn_wexpand(k, group_top + 1) == NULL) + || (bn_wexpand(lambda, group_top + 1) == NULL)) + goto err; + + if (!BN_copy(k, scalar)) + goto err; + + BN_set_flags(k, BN_FLG_CONSTTIME); + + if ((BN_num_bits(k) > cardinality_bits) || (BN_is_negative(k))) { + /*- + * this is an unusual input, and we don't guarantee + * constant-timeness + */ + if (!BN_nnmod(k, k, cardinality, ctx)) + goto err; + } + + if (!BN_add(lambda, k, cardinality)) + goto err; + BN_set_flags(lambda, BN_FLG_CONSTTIME); + if (!BN_add(k, lambda, cardinality)) + goto err; + /* + * lambda := scalar + cardinality + * k := scalar + 2*cardinality + */ + kbit = BN_is_bit_set(lambda, cardinality_bits); + BN_consttime_swap(kbit, k, lambda, group_top + 1); + + group_top = bn_get_top(group->field); + if ((bn_wexpand(s->X, group_top) == NULL) + || (bn_wexpand(s->Y, group_top) == NULL) + || (bn_wexpand(s->Z, group_top) == NULL) + || (bn_wexpand(r->X, group_top) == NULL) + || (bn_wexpand(r->Y, group_top) == NULL) + || (bn_wexpand(r->Z, group_top) == NULL)) + goto err; + + /* top bit is a 1, in a fixed pos */ + if (!EC_POINT_copy(r, s)) + goto err; + + EC_POINT_BN_set_flags(r, BN_FLG_CONSTTIME); + + if (!EC_POINT_dbl(group, s, s, ctx)) + goto err; + + pbit = 0; + +#define EC_POINT_CSWAP(c, a, b, w, t) do { \ + BN_consttime_swap(c, (a)->X, (b)->X, w); \ + BN_consttime_swap(c, (a)->Y, (b)->Y, w); \ + BN_consttime_swap(c, (a)->Z, (b)->Z, w); \ + t = ((a)->Z_is_one ^ (b)->Z_is_one) & (c); \ + (a)->Z_is_one ^= (t); \ + (b)->Z_is_one ^= (t); \ +} while(0) + + /*- + * The ladder step, with branches, is + * + * k[i] == 0: S = add(R, S), R = dbl(R) + * k[i] == 1: R = add(S, R), S = dbl(S) + * + * Swapping R, S conditionally on k[i] leaves you with state + * + * k[i] == 0: T, U = R, S + * k[i] == 1: T, U = S, R + * + * Then perform the ECC ops. + * + * U = add(T, U) + * T = dbl(T) + * + * Which leaves you with state + * + * k[i] == 0: U = add(R, S), T = dbl(R) + * k[i] == 1: U = add(S, R), T = dbl(S) + * + * Swapping T, U conditionally on k[i] leaves you with state + * + * k[i] == 0: R, S = T, U + * k[i] == 1: R, S = U, T + * + * Which leaves you with state + * + * k[i] == 0: S = add(R, S), R = dbl(R) + * k[i] == 1: R = add(S, R), S = dbl(S) + * + * So we get the same logic, but instead of a branch it's a + * conditional swap, followed by ECC ops, then another conditional swap. + * + * Optimization: The end of iteration i and start of i-1 looks like + * + * ... + * CSWAP(k[i], R, S) + * ECC + * CSWAP(k[i], R, S) + * (next iteration) + * CSWAP(k[i-1], R, S) + * ECC + * CSWAP(k[i-1], R, S) + * ... + * + * So instead of two contiguous swaps, you can merge the condition + * bits and do a single swap. + * + * k[i] k[i-1] Outcome + * 0 0 No Swap + * 0 1 Swap + * 1 0 Swap + * 1 1 No Swap + * + * This is XOR. pbit tracks the previous bit of k. + */ + + for (i = cardinality_bits - 1; i >= 0; i--) { + kbit = BN_is_bit_set(k, i) ^ pbit; + EC_POINT_CSWAP(kbit, r, s, group_top, Z_is_one); + if (!EC_POINT_add(group, s, r, s, ctx)) + goto err; + if (!EC_POINT_dbl(group, r, r, ctx)) + goto err; + /* + * pbit logic merges this cswap with that of the + * next iteration + */ + pbit ^= kbit; + } + /* one final cswap to move the right value into r */ + EC_POINT_CSWAP(pbit, r, s, group_top, Z_is_one); +#undef EC_POINT_CSWAP + + ret = 1; + + err: + EC_POINT_free(s); + BN_CTX_end(ctx); + BN_CTX_free(new_ctx); + + return ret; +} + +#undef EC_POINT_BN_set_flags + /* * TODO: table should be optimised for the wNAF-based implementation, * sometimes smaller windows will give better performance (thus the @@ -155,7 +373,7 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, * precomputation is not available */ int ret = 0; - if (group->meth != r->meth) { + if (!ec_point_is_compat(r, group)) { ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -164,8 +382,34 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, return EC_POINT_set_to_infinity(group, r); } + /*- + * Handle the common cases where the scalar is secret, enforcing a constant + * time scalar multiplication algorithm. + */ + if ((scalar != NULL) && (num == 0)) { + /*- + * In this case we want to compute scalar * GeneratorPoint: this + * codepath is reached most prominently by (ephemeral) key generation + * of EC cryptosystems (i.e. ECDSA keygen and sign setup, ECDH + * keygen/first half), where the scalar is always secret. This is why + * we ignore if BN_FLG_CONSTTIME is actually set and we always call the + * constant time version. + */ + return ec_mul_consttime(group, r, scalar, NULL, ctx); + } + if ((scalar == NULL) && (num == 1)) { + /*- + * In this case we want to compute scalar * GenericPoint: this codepath + * is reached most prominently by the second half of ECDH, where the + * secret scalar is multiplied by the peer's public point. To protect + * the secret scalar, we ignore if BN_FLG_CONSTTIME is actually set and + * we always call the constant time version. + */ + return ec_mul_consttime(group, r, scalars[0], points[0], ctx); + } + for (i = 0; i < num; i++) { - if (group->meth != points[i]->meth) { + if (!ec_point_is_compat(points[i], group)) { ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS); return 0; } diff --git a/deps/openssl/openssl/crypto/ec/ec_oct.c b/deps/openssl/openssl/crypto/ec/ec_oct.c index effc42a344..e185df6edf 100644 --- a/deps/openssl/openssl/crypto/ec/ec_oct.c +++ b/deps/openssl/openssl/crypto/ec/ec_oct.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -30,7 +30,7 @@ int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS); return 0; @@ -66,7 +66,7 @@ int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GF2M, EC_R_INCOMPATIBLE_OBJECTS); return 0; @@ -93,7 +93,7 @@ size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point, ECerr(EC_F_EC_POINT_POINT2OCT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_POINT2OCT, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -123,7 +123,7 @@ int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *point, ECerr(EC_F_EC_POINT_OCT2POINT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } - if (group->meth != point->meth) { + if (!ec_point_is_compat(point, group)) { ECerr(EC_F_EC_POINT_OCT2POINT, EC_R_INCOMPATIBLE_OBJECTS); return 0; } diff --git a/deps/openssl/openssl/crypto/ec/ecdsa_ossl.c b/deps/openssl/openssl/crypto/ec/ecdsa_ossl.c index 449be0e92a..9e4a68d9ca 100644 --- a/deps/openssl/openssl/crypto/ec/ecdsa_ossl.c +++ b/deps/openssl/openssl/crypto/ec/ecdsa_ossl.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -10,9 +10,8 @@ #include <string.h> #include <openssl/err.h> #include <openssl/obj_mac.h> -#include <openssl/bn.h> #include <openssl/rand.h> -#include <openssl/ec.h> +#include "internal/bn_int.h" #include "ec_lcl.h" int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen, @@ -53,13 +52,12 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, return 0; } - if (ctx_in == NULL) { + if ((ctx = ctx_in) == NULL) { if ((ctx = BN_CTX_new()) == NULL) { ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE); return 0; } - } else - ctx = ctx_in; + } k = BN_new(); /* this value is later returned in *kinvp */ r = BN_new(); /* this value is later returned in *rp */ @@ -73,10 +71,6 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, goto err; } order = EC_GROUP_get0_order(group); - if (order == NULL) { - ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); - goto err; - } /* Preallocate space */ order_bits = BN_num_bits(order); @@ -87,23 +81,23 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, do { /* get random k */ - do + do { if (dgst != NULL) { - if (!BN_generate_dsa_nonce - (k, order, EC_KEY_get0_private_key(eckey), dgst, dlen, - ctx)) { + if (!BN_generate_dsa_nonce(k, order, + EC_KEY_get0_private_key(eckey), + dgst, dlen, ctx)) { ECerr(EC_F_ECDSA_SIGN_SETUP, - EC_R_RANDOM_NUMBER_GENERATION_FAILED); + EC_R_RANDOM_NUMBER_GENERATION_FAILED); goto err; } } else { if (!BN_rand_range(k, order)) { ECerr(EC_F_ECDSA_SIGN_SETUP, - EC_R_RANDOM_NUMBER_GENERATION_FAILED); + EC_R_RANDOM_NUMBER_GENERATION_FAILED); goto err; } } - while (BN_is_zero(k)); + } while (BN_is_zero(k)); /* * We do not want timing information to leak the length of k, so we @@ -129,18 +123,16 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, } if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) { - if (!EC_POINT_get_affine_coordinates_GFp - (group, tmp_point, X, NULL, ctx)) { + if (!EC_POINT_get_affine_coordinates_GFp(group, tmp_point, X, + NULL, ctx)) { ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); goto err; } } #ifndef OPENSSL_NO_EC2M else { /* NID_X9_62_characteristic_two_field */ - - if (!EC_POINT_get_affine_coordinates_GF2m(group, - tmp_point, X, NULL, - ctx)) { + if (!EC_POINT_get_affine_coordinates_GF2m(group, tmp_point, X, + NULL, ctx)) { ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); goto err; } @@ -150,8 +142,7 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); goto err; } - } - while (BN_is_zero(r)); + } while (BN_is_zero(r)); /* compute the inverse of k */ if (EC_GROUP_get_mont_data(group) != NULL) { @@ -210,8 +201,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, EC_KEY *eckey) { int ok = 0, i; - BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *blind = NULL; - BIGNUM *blindm = NULL; + BIGNUM *kinv = NULL, *s, *m = NULL; const BIGNUM *order, *ckinv; BN_CTX *ctx = NULL; const EC_GROUP *group; @@ -244,27 +234,13 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, } s = ret->s; - ctx = BN_CTX_secure_new(); - if (ctx == NULL) { - ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); - goto err; - } - - BN_CTX_start(ctx); - tmp = BN_CTX_get(ctx); - m = BN_CTX_get(ctx); - blind = BN_CTX_get(ctx); - blindm = BN_CTX_get(ctx); - if (blindm == NULL) { + if ((ctx = BN_CTX_new()) == NULL + || (m = BN_new()) == NULL) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); goto err; } order = EC_GROUP_get0_order(group); - if (order == NULL) { - ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_EC_LIB); - goto err; - } i = BN_num_bits(order); /* * Need to truncate digest if it is too long: first truncate whole bytes. @@ -275,7 +251,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); goto err; } - /* If still too long truncate remaining bits with a shift */ + /* If still too long, truncate remaining bits with a shift */ if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); goto err; @@ -296,59 +272,27 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, } /* - * The normal signature calculation is: - * - * s := k^-1 * (m + r * priv_key) mod order - * - * We will blind this to protect against side channel attacks - * - * s := k^-1 * blind^-1 * (blind * m + blind * r * priv_key) mod order + * With only one multiplicant being in Montgomery domain + * multiplication yields real result without post-conversion. + * Also note that all operations but last are performed with + * zero-padded vectors. Last operation, BN_mod_mul_montgomery + * below, returns user-visible value with removed zero padding. */ - - /* Generate a blinding value */ - do { - if (!BN_rand(blind, BN_num_bits(order) - 1, BN_RAND_TOP_ANY, - BN_RAND_BOTTOM_ANY)) - goto err; - } while (BN_is_zero(blind)); - BN_set_flags(blind, BN_FLG_CONSTTIME); - BN_set_flags(blindm, BN_FLG_CONSTTIME); - BN_set_flags(tmp, BN_FLG_CONSTTIME); - - /* tmp := blind * priv_key * r mod order */ - if (!BN_mod_mul(tmp, blind, priv_key, order, ctx)) { - ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); - goto err; - } - if (!BN_mod_mul(tmp, tmp, ret->r, order, ctx)) { - ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); - goto err; - } - - /* blindm := blind * m mod order */ - if (!BN_mod_mul(blindm, blind, m, order, ctx)) { - ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); - goto err; - } - - /* s : = (blind * priv_key * r) + (blind * m) mod order */ - if (!BN_mod_add_quick(s, tmp, blindm, order)) { - ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); - goto err; - } - - /* s:= s * blind^-1 mod order */ - if (BN_mod_inverse(blind, blind, order, ctx) == NULL) { + if (!bn_to_mont_fixed_top(s, ret->r, group->mont_data, ctx) + || !bn_mul_mont_fixed_top(s, s, priv_key, group->mont_data, ctx)) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); goto err; } - if (!BN_mod_mul(s, s, blind, order, ctx)) { + if (!bn_mod_add_fixed_top(s, s, m, order)) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); goto err; } - - /* s := s * k^-1 mod order */ - if (!BN_mod_mul(s, s, ckinv, order, ctx)) { + /* + * |s| can still be larger than modulus, because |m| can be. In + * such case we count on Montgomery reduction to tie it up. + */ + if (!bn_to_mont_fixed_top(s, s, group->mont_data, ctx) + || !BN_mod_mul_montgomery(s, s, ckinv, group->mont_data, ctx)) { ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); goto err; } @@ -362,11 +306,11 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_NEED_NEW_SETUP_VALUES); goto err; } - } else + } else { /* s != 0 => we have a valid signature */ break; - } - while (1); + } + } while (1); ok = 1; err: @@ -374,8 +318,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, ECDSA_SIG_free(ret); ret = NULL; } - BN_CTX_end(ctx); BN_CTX_free(ctx); + BN_clear_free(m); BN_clear_free(kinv); return ret; } diff --git a/deps/openssl/openssl/crypto/ec/ecp_nistz256.c b/deps/openssl/openssl/crypto/ec/ecp_nistz256.c index 246189833e..4dbe216927 100644 --- a/deps/openssl/openssl/crypto/ec/ecp_nistz256.c +++ b/deps/openssl/openssl/crypto/ec/ecp_nistz256.c @@ -1,5 +1,5 @@ /* - * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1110,28 +1110,12 @@ __owur static int ecp_nistz256_set_from_affine(EC_POINT *out, const EC_GROUP *gr const P256_POINT_AFFINE *in, BN_CTX *ctx) { - BIGNUM *x, *y; - BN_ULONG d_x[P256_LIMBS], d_y[P256_LIMBS]; int ret = 0; - x = BN_new(); - if (x == NULL) - return 0; - y = BN_new(); - if (y == NULL) { - BN_free(x); - return 0; - } - memcpy(d_x, in->X, sizeof(d_x)); - bn_set_static_words(x, d_x, P256_LIMBS); - - memcpy(d_y, in->Y, sizeof(d_y)); - bn_set_static_words(y, d_y, P256_LIMBS); - - ret = EC_POINT_set_affine_coordinates_GFp(group, out, x, y, ctx); - - BN_free(x); - BN_free(y); + if ((ret = bn_set_words(out->X, in->X, P256_LIMBS)) + && (ret = bn_set_words(out->Y, in->Y, P256_LIMBS)) + && (ret = bn_set_words(out->Z, ONE, P256_LIMBS))) + out->Z_is_one = 1; return ret; } @@ -1168,7 +1152,7 @@ __owur static int ecp_nistz256_points_mul(const EC_GROUP *group, return 0; } - if (group->meth != r->meth) { + if (!ec_point_is_compat(r, group)) { ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -1177,7 +1161,7 @@ __owur static int ecp_nistz256_points_mul(const EC_GROUP *group, return EC_POINT_set_to_infinity(group, r); for (j = 0; j < num; j++) { - if (group->meth != points[j]->meth) { + if (!ec_point_is_compat(points[j], group)) { ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS); return 0; } @@ -1210,9 +1194,9 @@ __owur static int ecp_nistz256_points_mul(const EC_GROUP *group, if (pre_comp_generator == NULL) goto err; + ecp_nistz256_gather_w7(&p.a, pre_comp->precomp[0], 1); if (!ecp_nistz256_set_from_affine(pre_comp_generator, - group, pre_comp->precomp[0], - ctx)) { + group, &p.a, ctx)) { EC_POINT_free(pre_comp_generator); goto err; } diff --git a/deps/openssl/openssl/crypto/ec/ecp_smpl.c b/deps/openssl/openssl/crypto/ec/ecp_smpl.c index abd3795046..e3b88315fd 100644 --- a/deps/openssl/openssl/crypto/ec/ecp_smpl.c +++ b/deps/openssl/openssl/crypto/ec/ecp_smpl.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -352,6 +352,7 @@ int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src) if (!BN_copy(dest->Z, src->Z)) return 0; dest->Z_is_one = src->Z_is_one; + dest->curve_name = src->curve_name; return 1; } diff --git a/deps/openssl/openssl/crypto/engine/eng_lib.c b/deps/openssl/openssl/crypto/engine/eng_lib.c index cbefc7eb6c..ef8e995503 100644 --- a/deps/openssl/openssl/crypto/engine/eng_lib.c +++ b/deps/openssl/openssl/crypto/engine/eng_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -18,7 +18,8 @@ CRYPTO_ONCE engine_lock_init = CRYPTO_ONCE_STATIC_INIT; DEFINE_RUN_ONCE(do_engine_lock_init) { - OPENSSL_init_crypto(0, NULL); + if (!OPENSSL_init_crypto(0, NULL)) + return 0; global_engine_lock = CRYPTO_THREAD_lock_new(); return global_engine_lock != NULL; } @@ -143,8 +144,10 @@ void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb) if (!int_cleanup_check(1)) return; item = int_cleanup_item(cb); - if (item) - sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item); + if (item != NULL) { + if (sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item) <= 0) + OPENSSL_free(item); + } } /* The API function that performs all cleanup */ diff --git a/deps/openssl/openssl/crypto/engine/eng_openssl.c b/deps/openssl/openssl/crypto/engine/eng_openssl.c index 0e53c4d1fd..9208f7eafc 100644 --- a/deps/openssl/openssl/crypto/engine/eng_openssl.c +++ b/deps/openssl/openssl/crypto/engine/eng_openssl.c @@ -649,3 +649,4 @@ int openssl_destroy(ENGINE *e) #endif return 1; } + diff --git a/deps/openssl/openssl/crypto/engine/tb_asnmth.c b/deps/openssl/openssl/crypto/engine/tb_asnmth.c index 480267daab..5c7b161703 100644 --- a/deps/openssl/openssl/crypto/engine/tb_asnmth.c +++ b/deps/openssl/openssl/crypto/engine/tb_asnmth.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -170,7 +170,8 @@ static void look_str_cb(int nid, STACK_OF(ENGINE) *sk, ENGINE *def, void *arg) ENGINE *e = sk_ENGINE_value(sk, i); EVP_PKEY_ASN1_METHOD *ameth; e->pkey_asn1_meths(e, &ameth, NULL, nid); - if (((int)strlen(ameth->pem_str) == lk->len) + if (ameth != NULL + && ((int)strlen(ameth->pem_str) == lk->len) && strncasecmp(ameth->pem_str, lk->str, lk->len) == 0) { lk->e = e; lk->ameth = ameth; diff --git a/deps/openssl/openssl/crypto/err/err.c b/deps/openssl/openssl/crypto/err/err.c index c4399285fe..08c27a3e83 100644 --- a/deps/openssl/openssl/crypto/err/err.c +++ b/deps/openssl/openssl/crypto/err/err.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -254,7 +254,8 @@ static void ERR_STATE_free(ERR_STATE *s) DEFINE_RUN_ONCE_STATIC(do_err_strings_init) { - OPENSSL_init_crypto(0, NULL); + if (!OPENSSL_init_crypto(0, NULL)) + return 0; err_string_lock = CRYPTO_THREAD_lock_new(); return err_string_lock != NULL; } @@ -653,29 +654,31 @@ DEFINE_RUN_ONCE_STATIC(err_do_init) ERR_STATE *ERR_get_state(void) { - ERR_STATE *state = NULL; + ERR_STATE *state; - if (!RUN_ONCE(&err_init, err_do_init)) + if (!OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL)) return NULL; - /* - * If base OPENSSL_init_crypto() hasn't been called yet, be sure to call - * it now to avoid state to be doubly allocated and thereby leak memory. - * Needed on any platform that doesn't define OPENSSL_USE_NODELETE. - */ - if (!OPENSSL_init_crypto(0, NULL)) + if (!RUN_ONCE(&err_init, err_do_init)) return NULL; state = CRYPTO_THREAD_get_local(&err_thread_local); + if (state == (ERR_STATE*)-1) + return NULL; if (state == NULL) { - state = OPENSSL_zalloc(sizeof(*state)); - if (state == NULL) + if (!CRYPTO_THREAD_set_local(&err_thread_local, (ERR_STATE*)-1)) return NULL; + if ((state = OPENSSL_zalloc(sizeof(*state))) == NULL) { + CRYPTO_THREAD_set_local(&err_thread_local, NULL); + return NULL; + } + if (!ossl_init_thread_start(OPENSSL_INIT_THREAD_ERR_STATE) - || !CRYPTO_THREAD_set_local(&err_thread_local, state)) { + || !CRYPTO_THREAD_set_local(&err_thread_local, state)) { ERR_STATE_free(state); + CRYPTO_THREAD_set_local(&err_thread_local, NULL); return NULL; } @@ -686,13 +689,41 @@ ERR_STATE *ERR_get_state(void) return state; } +/* + * err_shelve_state returns the current thread local error state + * and freezes the error module until err_unshelve_state is called. + */ +int err_shelve_state(void **state) +{ + if (!OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL)) + return 0; + + if (!RUN_ONCE(&err_init, err_do_init)) + return 0; + + *state = CRYPTO_THREAD_get_local(&err_thread_local); + if (!CRYPTO_THREAD_set_local(&err_thread_local, (ERR_STATE*)-1)) + return 0; + + return 1; +} + +/* + * err_unshelve_state restores the error state that was returned + * by err_shelve_state previously. + */ +void err_unshelve_state(void* state) +{ + if (state != (void*)-1) + CRYPTO_THREAD_set_local(&err_thread_local, (ERR_STATE*)state); +} + int ERR_get_next_error_library(void) { int ret; - if (!RUN_ONCE(&err_string_init, do_err_strings_init)) { + if (!RUN_ONCE(&err_string_init, do_err_strings_init)) return 0; - } CRYPTO_THREAD_write_lock(err_string_lock); ret = int_err_library_number++; diff --git a/deps/openssl/openssl/crypto/evp/cmeth_lib.c b/deps/openssl/openssl/crypto/evp/cmeth_lib.c index 5769e0a554..e2295c4dc5 100644 --- a/deps/openssl/openssl/crypto/evp/cmeth_lib.c +++ b/deps/openssl/openssl/crypto/evp/cmeth_lib.c @@ -148,3 +148,4 @@ int (*EVP_CIPHER_meth_get_ctrl(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *, { return cipher->ctrl; } + diff --git a/deps/openssl/openssl/crypto/evp/evp_err.c b/deps/openssl/openssl/crypto/evp/evp_err.c index c4b163f0ba..3543d44cb4 100644 --- a/deps/openssl/openssl/crypto/evp/evp_err.c +++ b/deps/openssl/openssl/crypto/evp/evp_err.c @@ -70,6 +70,8 @@ static ERR_STRING_DATA EVP_str_functs[] = { {ERR_FUNC(EVP_F_EVP_PKEY_GET0_RSA), "EVP_PKEY_get0_RSA"}, {ERR_FUNC(EVP_F_EVP_PKEY_KEYGEN), "EVP_PKEY_keygen"}, {ERR_FUNC(EVP_F_EVP_PKEY_KEYGEN_INIT), "EVP_PKEY_keygen_init"}, + {ERR_FUNC(EVP_F_EVP_PKEY_METH_ADD0), "EVP_PKEY_meth_add0"}, + {ERR_FUNC(EVP_F_EVP_PKEY_METH_NEW), "EVP_PKEY_meth_new"}, {ERR_FUNC(EVP_F_EVP_PKEY_NEW), "EVP_PKEY_new"}, {ERR_FUNC(EVP_F_EVP_PKEY_PARAMGEN), "EVP_PKEY_paramgen"}, {ERR_FUNC(EVP_F_EVP_PKEY_PARAMGEN_INIT), "EVP_PKEY_paramgen_init"}, @@ -143,6 +145,7 @@ static ERR_STRING_DATA EVP_str_reasons[] = { {ERR_REASON(EVP_R_OPERATON_NOT_INITIALIZED), "operaton not initialized"}, {ERR_REASON(EVP_R_PARTIALLY_OVERLAPPING), "partially overlapping buffers"}, + {ERR_REASON(EVP_R_PBKDF2_ERROR), "pbkdf2 error"}, {ERR_REASON(EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED), "pkey application asn1 method already registered"}, {ERR_REASON(EVP_R_PKEY_ASN1_METHOD_ALREADY_REGISTERED), diff --git a/deps/openssl/openssl/crypto/evp/pmeth_lib.c b/deps/openssl/openssl/crypto/evp/pmeth_lib.c index 5e650a9db3..f623db3483 100644 --- a/deps/openssl/openssl/crypto/evp/pmeth_lib.c +++ b/deps/openssl/openssl/crypto/evp/pmeth_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -151,8 +151,10 @@ EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags) EVP_PKEY_METHOD *pmeth; pmeth = OPENSSL_zalloc(sizeof(*pmeth)); - if (pmeth == NULL) + if (pmeth == NULL) { + EVPerr(EVP_F_EVP_PKEY_METH_NEW, ERR_R_MALLOC_FAILURE); return NULL; + } pmeth->pkey_id = id; pmeth->flags = flags | EVP_PKEY_FLAG_DYNAMIC; @@ -238,8 +240,10 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_CTX *pctx) } #endif rctx = OPENSSL_malloc(sizeof(*rctx)); - if (rctx == NULL) + if (rctx == NULL) { + EVPerr(EVP_F_EVP_PKEY_CTX_DUP, ERR_R_MALLOC_FAILURE); return NULL; + } rctx->pmeth = pctx->pmeth; #ifndef OPENSSL_NO_ENGINE @@ -273,11 +277,15 @@ int EVP_PKEY_meth_add0(const EVP_PKEY_METHOD *pmeth) { if (app_pkey_methods == NULL) { app_pkey_methods = sk_EVP_PKEY_METHOD_new(pmeth_cmp); - if (app_pkey_methods == NULL) + if (app_pkey_methods == NULL) { + EVPerr(EVP_F_EVP_PKEY_METH_ADD0, ERR_R_MALLOC_FAILURE); return 0; + } } - if (!sk_EVP_PKEY_METHOD_push(app_pkey_methods, pmeth)) + if (!sk_EVP_PKEY_METHOD_push(app_pkey_methods, pmeth)) { + EVPerr(EVP_F_EVP_PKEY_METH_ADD0, ERR_R_MALLOC_FAILURE); return 0; + } sk_EVP_PKEY_METHOD_sort(app_pkey_methods); return 1; } @@ -557,26 +565,26 @@ void EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth, pmeth->ctrl_str = ctrl_str; } -void EVP_PKEY_meth_get_init(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_init(const EVP_PKEY_METHOD *pmeth, int (**pinit) (EVP_PKEY_CTX *ctx)) { *pinit = pmeth->init; } -void EVP_PKEY_meth_get_copy(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_copy(const EVP_PKEY_METHOD *pmeth, int (**pcopy) (EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)) { *pcopy = pmeth->copy; } -void EVP_PKEY_meth_get_cleanup(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_cleanup(const EVP_PKEY_METHOD *pmeth, void (**pcleanup) (EVP_PKEY_CTX *ctx)) { *pcleanup = pmeth->cleanup; } -void EVP_PKEY_meth_get_paramgen(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_paramgen(const EVP_PKEY_METHOD *pmeth, int (**pparamgen_init) (EVP_PKEY_CTX *ctx), int (**pparamgen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)) @@ -587,7 +595,7 @@ void EVP_PKEY_meth_get_paramgen(EVP_PKEY_METHOD *pmeth, *pparamgen = pmeth->paramgen; } -void EVP_PKEY_meth_get_keygen(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_keygen(const EVP_PKEY_METHOD *pmeth, int (**pkeygen_init) (EVP_PKEY_CTX *ctx), int (**pkeygen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)) @@ -598,7 +606,7 @@ void EVP_PKEY_meth_get_keygen(EVP_PKEY_METHOD *pmeth, *pkeygen = pmeth->keygen; } -void EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_sign(const EVP_PKEY_METHOD *pmeth, int (**psign_init) (EVP_PKEY_CTX *ctx), int (**psign) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, @@ -611,7 +619,7 @@ void EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth, *psign = pmeth->sign; } -void EVP_PKEY_meth_get_verify(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_verify(const EVP_PKEY_METHOD *pmeth, int (**pverify_init) (EVP_PKEY_CTX *ctx), int (**pverify) (EVP_PKEY_CTX *ctx, const unsigned char *sig, @@ -625,7 +633,7 @@ void EVP_PKEY_meth_get_verify(EVP_PKEY_METHOD *pmeth, *pverify = pmeth->verify; } -void EVP_PKEY_meth_get_verify_recover(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_verify_recover(const EVP_PKEY_METHOD *pmeth, int (**pverify_recover_init) (EVP_PKEY_CTX *ctx), int (**pverify_recover) (EVP_PKEY_CTX @@ -643,7 +651,7 @@ void EVP_PKEY_meth_get_verify_recover(EVP_PKEY_METHOD *pmeth, *pverify_recover = pmeth->verify_recover; } -void EVP_PKEY_meth_get_signctx(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_signctx(const EVP_PKEY_METHOD *pmeth, int (**psignctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx), int (**psignctx) (EVP_PKEY_CTX *ctx, @@ -657,7 +665,7 @@ void EVP_PKEY_meth_get_signctx(EVP_PKEY_METHOD *pmeth, *psignctx = pmeth->signctx; } -void EVP_PKEY_meth_get_verifyctx(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_verifyctx(const EVP_PKEY_METHOD *pmeth, int (**pverifyctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx), int (**pverifyctx) (EVP_PKEY_CTX *ctx, @@ -671,7 +679,7 @@ void EVP_PKEY_meth_get_verifyctx(EVP_PKEY_METHOD *pmeth, *pverifyctx = pmeth->verifyctx; } -void EVP_PKEY_meth_get_encrypt(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_encrypt(const EVP_PKEY_METHOD *pmeth, int (**pencrypt_init) (EVP_PKEY_CTX *ctx), int (**pencryptfn) (EVP_PKEY_CTX *ctx, unsigned char *out, @@ -685,7 +693,7 @@ void EVP_PKEY_meth_get_encrypt(EVP_PKEY_METHOD *pmeth, *pencryptfn = pmeth->encrypt; } -void EVP_PKEY_meth_get_decrypt(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_decrypt(const EVP_PKEY_METHOD *pmeth, int (**pdecrypt_init) (EVP_PKEY_CTX *ctx), int (**pdecrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, @@ -699,7 +707,7 @@ void EVP_PKEY_meth_get_decrypt(EVP_PKEY_METHOD *pmeth, *pdecrypt = pmeth->decrypt; } -void EVP_PKEY_meth_get_derive(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_derive(const EVP_PKEY_METHOD *pmeth, int (**pderive_init) (EVP_PKEY_CTX *ctx), int (**pderive) (EVP_PKEY_CTX *ctx, unsigned char *key, @@ -711,7 +719,7 @@ void EVP_PKEY_meth_get_derive(EVP_PKEY_METHOD *pmeth, *pderive = pmeth->derive; } -void EVP_PKEY_meth_get_ctrl(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_ctrl(const EVP_PKEY_METHOD *pmeth, int (**pctrl) (EVP_PKEY_CTX *ctx, int type, int p1, void *p2), int (**pctrl_str) (EVP_PKEY_CTX *ctx, diff --git a/deps/openssl/openssl/crypto/evp/scrypt.c b/deps/openssl/openssl/crypto/evp/scrypt.c index 101bb1edbd..3543df5403 100644 --- a/deps/openssl/openssl/crypto/evp/scrypt.c +++ b/deps/openssl/openssl/crypto/evp/scrypt.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -171,8 +171,10 @@ int EVP_PBE_scrypt(const char *pass, size_t passlen, if (r == 0 || p == 0 || N < 2 || (N & (N - 1))) return 0; /* Check p * r < SCRYPT_PR_MAX avoiding overflow */ - if (p > SCRYPT_PR_MAX / r) + if (p > SCRYPT_PR_MAX / r) { + EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); return 0; + } /* * Need to check N: if 2^(128 * r / 8) overflows limit this is @@ -180,8 +182,10 @@ int EVP_PBE_scrypt(const char *pass, size_t passlen, */ if (16 * r <= LOG2_UINT64_MAX) { - if (N >= (((uint64_t)1) << (16 * r))) + if (N >= (((uint64_t)1) << (16 * r))) { + EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); return 0; + } } /* Memory checks: check total allocated buffer size fits in uint64_t */ @@ -199,13 +203,17 @@ int EVP_PBE_scrypt(const char *pass, size_t passlen, * This is combined size V, X and T (section 4) */ i = UINT64_MAX / (32 * sizeof(uint32_t)); - if (N + 2 > i / r) + if (N + 2 > i / r) { + EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); return 0; + } Vlen = 32 * r * (N + 2) * sizeof(uint32_t); /* check total allocated size fits in uint64_t */ - if (Blen > UINT64_MAX - Vlen) + if (Blen > UINT64_MAX - Vlen) { + EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); return 0; + } /* check total allocated size fits in size_t */ if (Blen > SIZE_MAX - Vlen) return 0; @@ -225,8 +233,10 @@ int EVP_PBE_scrypt(const char *pass, size_t passlen, return 1; B = OPENSSL_malloc(allocsize); - if (B == NULL) + if (B == NULL) { + EVPerr(EVP_F_EVP_PBE_SCRYPT, ERR_R_MALLOC_FAILURE); return 0; + } X = (uint32_t *)(B + Blen); T = X + 32 * r; V = T + 32 * r; @@ -242,6 +252,9 @@ int EVP_PBE_scrypt(const char *pass, size_t passlen, goto err; rv = 1; err: + if (rv == 0) + EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PBKDF2_ERROR); + OPENSSL_clear_free(B, allocsize); return rv; } diff --git a/deps/openssl/openssl/crypto/ex_data.c b/deps/openssl/openssl/crypto/ex_data.c index 22c4d3d9b9..6e3072f2a9 100644 --- a/deps/openssl/openssl/crypto/ex_data.c +++ b/deps/openssl/openssl/crypto/ex_data.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -38,7 +38,8 @@ static CRYPTO_ONCE ex_data_init = CRYPTO_ONCE_STATIC_INIT; DEFINE_RUN_ONCE_STATIC(do_ex_data_init) { - OPENSSL_init_crypto(0, NULL); + if (!OPENSSL_init_crypto(0, NULL)) + return 0; ex_data_lock = CRYPTO_THREAD_lock_new(); return ex_data_lock != NULL; } diff --git a/deps/openssl/openssl/crypto/include/internal/__DECC_INCLUDE_EPILOGUE.H b/deps/openssl/openssl/crypto/include/internal/__DECC_INCLUDE_EPILOGUE.H new file mode 100644 index 0000000000..5f63860808 --- /dev/null +++ b/deps/openssl/openssl/crypto/include/internal/__DECC_INCLUDE_EPILOGUE.H @@ -0,0 +1,16 @@ +/* + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * This file is only used by HP C on VMS, and is included automatically + * after each header file from this directory + */ + +/* restore state. Must correspond to the save in __decc_include_prologue.h */ +#pragma names restore diff --git a/deps/openssl/openssl/crypto/include/internal/__DECC_INCLUDE_PROLOGUE.H b/deps/openssl/openssl/crypto/include/internal/__DECC_INCLUDE_PROLOGUE.H new file mode 100644 index 0000000000..78b2a87d88 --- /dev/null +++ b/deps/openssl/openssl/crypto/include/internal/__DECC_INCLUDE_PROLOGUE.H @@ -0,0 +1,20 @@ +/* + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * This file is only used by HP C on VMS, and is included automatically + * after each header file from this directory + */ + +/* save state */ +#pragma names save +/* have the compiler shorten symbols larger than 31 chars to 23 chars + * followed by a 8 hex char CRC + */ +#pragma names as_is,shortened diff --git a/deps/openssl/openssl/crypto/include/internal/asn1_int.h b/deps/openssl/openssl/crypto/include/internal/asn1_int.h index f70e3b47ba..ba9c062702 100644 --- a/deps/openssl/openssl/crypto/include/internal/asn1_int.h +++ b/deps/openssl/openssl/crypto/include/internal/asn1_int.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -90,5 +90,3 @@ struct asn1_pctx_st { unsigned long oid_flags; unsigned long str_flags; } /* ASN1_PCTX */ ; - -int asn1_valid_host(const ASN1_STRING *host); diff --git a/deps/openssl/openssl/crypto/include/internal/async.h b/deps/openssl/openssl/crypto/include/internal/async.h index 16a12a6371..dc8e937b0c 100644 --- a/deps/openssl/openssl/crypto/include/internal/async.h +++ b/deps/openssl/openssl/crypto/include/internal/async.h @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,3 +11,5 @@ int async_init(void); void async_deinit(void); +void async_delete_thread_state(void); + diff --git a/deps/openssl/openssl/crypto/include/internal/bn_conf.h b/deps/openssl/openssl/crypto/include/internal/bn_conf.h deleted file mode 100644 index 79400c6472..0000000000 --- a/deps/openssl/openssl/crypto/include/internal/bn_conf.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/bn_conf.h" diff --git a/deps/openssl/openssl/crypto/include/internal/bn_int.h b/deps/openssl/openssl/crypto/include/internal/bn_int.h index 9c984ba781..2fcdd0d13e 100644 --- a/deps/openssl/openssl/crypto/include/internal/bn_int.h +++ b/deps/openssl/openssl/crypto/include/internal/bn_int.h @@ -1,5 +1,5 @@ /* - * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -53,7 +53,7 @@ BN_ULONG *bn_get_words(const BIGNUM *a); * Set the internal data words in a to point to words which contains size * elements. The BN_FLG_STATIC_DATA flag is set */ -void bn_set_static_words(BIGNUM *a, BN_ULONG *words, int size); +void bn_set_static_words(BIGNUM *a, const BN_ULONG *words, int size); /* * Copy words into the BIGNUM |a|, reallocating space as necessary. @@ -64,7 +64,7 @@ void bn_set_static_words(BIGNUM *a, BN_ULONG *words, int size); * |num_words| is int because bn_expand2 takes an int. This is an internal * function so we simply trust callers not to pass negative values. */ -int bn_set_words(BIGNUM *a, BN_ULONG *words, int num_words); +int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words); size_t bn_sizeof_BIGNUM(void); @@ -74,6 +74,19 @@ size_t bn_sizeof_BIGNUM(void); */ BIGNUM *bn_array_el(BIGNUM *base, int el); +/* + * Some BIGNUM functions assume most significant limb to be non-zero, which + * is customarily arranged by bn_correct_top. Output from below functions + * is not processed with bn_correct_top, and for this reason it may not be + * returned out of public API. It may only be passed internally into other + * functions known to support non-minimal or zero-padded BIGNUMs. + */ +int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + BN_MONT_CTX *mont, BN_CTX *ctx); +int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, + BN_CTX *ctx); +int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + const BIGNUM *m); #ifdef __cplusplus } diff --git a/deps/openssl/openssl/crypto/include/internal/cryptlib.h b/deps/openssl/openssl/crypto/include/internal/cryptlib.h index f3ec9b67b8..627fd8caf4 100644 --- a/deps/openssl/openssl/crypto/include/internal/cryptlib.h +++ b/deps/openssl/openssl/crypto/include/internal/cryptlib.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -74,6 +74,8 @@ FILE *openssl_fopen(const char *filename, const char *mode); void *openssl_fopen(const char *filename, const char *mode); # endif +unsigned long OPENSSL_rdtsc(void); + #ifdef __cplusplus } #endif diff --git a/deps/openssl/openssl/crypto/include/internal/cryptlib_int.h b/deps/openssl/openssl/crypto/include/internal/cryptlib_int.h index ab86e1e53d..ceeb63ddd0 100644 --- a/deps/openssl/openssl/crypto/include/internal/cryptlib_int.h +++ b/deps/openssl/openssl/crypto/include/internal/cryptlib_int.h @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -24,7 +24,9 @@ int ossl_init_thread_start(uint64_t opts); * use". */ # define OPENSSL_INIT_ZLIB 0x00010000L +# define OPENSSL_INIT_BASE_ONLY 0x00040000L /* OPENSSL_INIT_THREAD flags */ # define OPENSSL_INIT_THREAD_ASYNC 0x01 # define OPENSSL_INIT_THREAD_ERR_STATE 0x02 + diff --git a/deps/openssl/openssl/crypto/include/internal/dso_conf.h b/deps/openssl/openssl/crypto/include/internal/dso_conf.h deleted file mode 100644 index e7f2afa987..0000000000 --- a/deps/openssl/openssl/crypto/include/internal/dso_conf.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../../config/dso_conf.h" diff --git a/deps/openssl/openssl/crypto/include/internal/err_int.h b/deps/openssl/openssl/crypto/include/internal/err_int.h index 7fec3ed767..44ac944627 100644 --- a/deps/openssl/openssl/crypto/include/internal/err_int.h +++ b/deps/openssl/openssl/crypto/include/internal/err_int.h @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -13,5 +13,7 @@ int err_load_crypto_strings_int(void); void err_cleanup(void); void err_delete_thread_state(void); +int err_shelve_state(void **); +void err_unshelve_state(void *); #endif diff --git a/deps/openssl/openssl/crypto/include/internal/x509_int.h b/deps/openssl/openssl/crypto/include/internal/x509_int.h index 2845026dd8..eb43997704 100644 --- a/deps/openssl/openssl/crypto/include/internal/x509_int.h +++ b/deps/openssl/openssl/crypto/include/internal/x509_int.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -166,6 +166,7 @@ struct x509_st { unsigned char sha1_hash[SHA_DIGEST_LENGTH]; X509_CERT_AUX *aux; CRYPTO_RWLOCK *lock; + volatile int ex_cached; } /* X509 */ ; /* diff --git a/deps/openssl/openssl/crypto/init.c b/deps/openssl/openssl/crypto/init.c index 2d16c41bc6..00a91792d8 100644 --- a/deps/openssl/openssl/crypto/init.c +++ b/deps/openssl/openssl/crypto/init.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -27,11 +27,25 @@ static int stopped = 0; -static void ossl_init_thread_stop(struct thread_local_inits_st *locals); +/* + * Since per-thread-specific-data destructors are not universally + * available, i.e. not on Windows, only below CRYPTO_THREAD_LOCAL key + * is assumed to have destructor associated. And then an effort is made + * to call this single destructor on non-pthread platform[s]. + * + * Initial value is "impossible". It is used as guard value to shortcut + * destructor for threads terminating before libcrypto is initialized or + * after it's de-initialized. Access to the key doesn't have to be + * serialized for the said threads, because they didn't use libcrypto + * and it doesn't matter if they pick "impossible" or derefernce real + * key value and pull NULL past initialization in the first thread that + * intends to use libcrypto. + */ +static CRYPTO_THREAD_LOCAL destructor_key = (CRYPTO_THREAD_LOCAL)-1; -static CRYPTO_THREAD_LOCAL threadstopkey; +static void ossl_init_thread_stop(struct thread_local_inits_st *locals); -static void ossl_init_thread_stop_wrap(void *local) +static void ossl_init_thread_destructor(void *local) { ossl_init_thread_stop((struct thread_local_inits_st *)local); } @@ -39,17 +53,17 @@ static void ossl_init_thread_stop_wrap(void *local) static struct thread_local_inits_st *ossl_init_get_thread_local(int alloc) { struct thread_local_inits_st *local = - CRYPTO_THREAD_get_local(&threadstopkey); + CRYPTO_THREAD_get_local(&destructor_key); - if (local == NULL && alloc) { - local = OPENSSL_zalloc(sizeof(*local)); - if (local != NULL && !CRYPTO_THREAD_set_local(&threadstopkey, local)) { + if (alloc) { + if (local == NULL + && (local = OPENSSL_zalloc(sizeof(*local))) != NULL + && !CRYPTO_THREAD_set_local(&destructor_key, local)) { OPENSSL_free(local); return NULL; } - } - if (!alloc) { - CRYPTO_THREAD_set_local(&threadstopkey, NULL); + } else { + CRYPTO_THREAD_set_local(&destructor_key, NULL); } return local; @@ -68,29 +82,42 @@ static CRYPTO_ONCE base = CRYPTO_ONCE_STATIC_INIT; static int base_inited = 0; DEFINE_RUN_ONCE_STATIC(ossl_init_base) { + CRYPTO_THREAD_LOCAL key; + #ifdef OPENSSL_INIT_DEBUG fprintf(stderr, "OPENSSL_INIT: ossl_init_base: Setting up stop handlers\n"); #endif - /* - * We use a dummy thread local key here. We use the destructor to detect - * when the thread is going to stop (where that feature is available) - */ - CRYPTO_THREAD_init_local(&threadstopkey, ossl_init_thread_stop_wrap); + if (!CRYPTO_THREAD_init_local(&key, ossl_init_thread_destructor)) + return 0; + if ((init_lock = CRYPTO_THREAD_lock_new()) == NULL) + goto err; #ifndef OPENSSL_SYS_UEFI - atexit(OPENSSL_cleanup); + if (atexit(OPENSSL_cleanup) != 0) + goto err; #endif - if ((init_lock = CRYPTO_THREAD_lock_new()) == NULL) - return 0; OPENSSL_cpuid_setup(); - /* - * BIG FAT WARNING! - * Everything needed to be initialized in this function before threads - * come along MUST happen before base_inited is set to 1, or we will - * see race conditions. - */ + destructor_key = key; base_inited = 1; + return 1; + +err: +#ifdef OPENSSL_INIT_DEBUG + fprintf(stderr, "OPENSSL_INIT: ossl_init_base not ok!\n"); +#endif + CRYPTO_THREAD_lock_free(init_lock); + init_lock = NULL; + + CRYPTO_THREAD_cleanup_local(&key); + return 0; +} +static CRYPTO_ONCE load_crypto_nodelete = CRYPTO_ONCE_STATIC_INIT; +DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_nodelete) +{ +#ifdef OPENSSL_INIT_DEBUG + fprintf(stderr, "OPENSSL_INIT: ossl_init_load_crypto_nodelete()\n"); +#endif #if !defined(OPENSSL_NO_DSO) && !defined(OPENSSL_USE_NODELETE) # ifdef DSO_WIN32 { @@ -102,6 +129,10 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_base) | GET_MODULE_HANDLE_EX_FLAG_PIN, (void *)&base_inited, &handle); +# ifdef OPENSSL_INIT_DEBUG + fprintf(stderr, "OPENSSL_INIT: obtained DSO reference? %s\n", + (ret == TRUE ? "No!" : "Yes.")); +# endif return (ret == TRUE) ? 1 : 0; } # else @@ -110,12 +141,24 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_base) * to remain loaded until the atexit() handler is run at process exit. */ { - DSO *dso = NULL; + DSO *dso; + void *err; + + if (!err_shelve_state(&err)) + return 0; - ERR_set_mark(); dso = DSO_dsobyaddr(&base_inited, DSO_FLAG_NO_UNLOAD_ON_FREE); +# ifdef OPENSSL_INIT_DEBUG + fprintf(stderr, "OPENSSL_INIT: obtained DSO reference? %s\n", + (dso == NULL ? "No!" : "Yes.")); + /* + * In case of No!, it is uncertain our exit()-handlers can still be + * called. After dlclose() the whole library might have been unloaded + * already. + */ +# endif DSO_free(dso); - ERR_pop_to_mark(); + err_unshelve_state(err); } # endif #endif @@ -145,7 +188,7 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_strings) # endif ret = err_load_crypto_strings_int(); load_crypto_strings_inited = 1; -#endif +#endif return ret; } @@ -335,9 +378,9 @@ static void ossl_init_thread_stop(struct thread_local_inits_st *locals) if (locals->async) { #ifdef OPENSSL_INIT_DEBUG fprintf(stderr, "OPENSSL_INIT: ossl_init_thread_stop: " - "ASYNC_cleanup_thread()\n"); + "async_delete_thread_state()\n"); #endif - ASYNC_cleanup_thread(); + async_delete_thread_state(); } if (locals->err_state) { @@ -353,8 +396,8 @@ static void ossl_init_thread_stop(struct thread_local_inits_st *locals) void OPENSSL_thread_stop(void) { - ossl_init_thread_stop( - (struct thread_local_inits_st *)ossl_init_get_thread_local(0)); + if (destructor_key != (CRYPTO_THREAD_LOCAL)-1) + ossl_init_thread_stop(ossl_init_get_thread_local(0)); } int ossl_init_thread_start(uint64_t opts) @@ -391,6 +434,7 @@ int ossl_init_thread_start(uint64_t opts) void OPENSSL_cleanup(void) { OPENSSL_INIT_STOP *currhandler, *lasthandler; + CRYPTO_THREAD_LOCAL key; /* If we've not been inited then no need to deinit */ if (!base_inited) @@ -449,7 +493,9 @@ void OPENSSL_cleanup(void) err_free_strings_int(); } - CRYPTO_THREAD_cleanup_local(&threadstopkey); + key = destructor_key; + destructor_key = (CRYPTO_THREAD_LOCAL)-1; + CRYPTO_THREAD_cleanup_local(&key); #ifdef OPENSSL_INIT_DEBUG fprintf(stderr, "OPENSSL_INIT: OPENSSL_cleanup: " @@ -505,22 +551,18 @@ void OPENSSL_cleanup(void) */ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) { - static int stoperrset = 0; - if (stopped) { - if (!stoperrset) { - /* - * We only ever set this once to avoid getting into an infinite - * loop where the error system keeps trying to init and fails so - * sets an error etc - */ - stoperrset = 1; + if (!(opts & OPENSSL_INIT_BASE_ONLY)) CRYPTOerr(CRYPTO_F_OPENSSL_INIT_CRYPTO, ERR_R_INIT_FAIL); - } return 0; } - if (!base_inited && !RUN_ONCE(&base, ossl_init_base)) + if (!RUN_ONCE(&base, ossl_init_base)) + return 0; + + if (!(opts & OPENSSL_INIT_BASE_ONLY) + && !RUN_ONCE(&load_crypto_nodelete, + ossl_init_load_crypto_nodelete)) return 0; if ((opts & OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS) @@ -657,6 +699,12 @@ int OPENSSL_atexit(void (*handler)(void)) ERR_set_mark(); dso = DSO_dsobyaddr(handlersym.sym, DSO_FLAG_NO_UNLOAD_ON_FREE); +# ifdef OPENSSL_INIT_DEBUG + fprintf(stderr, + "OPENSSL_INIT: OPENSSL_atexit: obtained DSO reference? %s\n", + (dso == NULL ? "No!" : "Yes.")); + /* See same code above in ossl_init_base() for an explanation. */ +# endif DSO_free(dso); ERR_pop_to_mark(); } diff --git a/deps/openssl/openssl/crypto/lhash/lhash.c b/deps/openssl/openssl/crypto/lhash/lhash.c index 7777935182..f48541171c 100644 --- a/deps/openssl/openssl/crypto/lhash/lhash.c +++ b/deps/openssl/openssl/crypto/lhash/lhash.c @@ -49,7 +49,7 @@ OPENSSL_LHASH *OPENSSL_LH_new(OPENSSL_LH_HASHFUNC h, OPENSSL_LH_COMPFUNC c) return NULL; if ((ret->b = OPENSSL_zalloc(sizeof(*ret->b) * MIN_NODES)) == NULL) goto err; - if ((ret->retrieve_stats_lock = CRYPTO_THREAD_lock_new()) == NULL) + if ((ret->retrieve_stats_lock = CRYPTO_THREAD_lock_new()) == NULL) goto err; ret->comp = ((c == NULL) ? (OPENSSL_LH_COMPFUNC)strcmp : c); ret->hash = ((h == NULL) ? (OPENSSL_LH_HASHFUNC)OPENSSL_LH_strhash : h); diff --git a/deps/openssl/openssl/crypto/lhash/lhash_lcl.h b/deps/openssl/openssl/crypto/lhash/lhash_lcl.h index 64d3134fc1..01d463fb36 100644 --- a/deps/openssl/openssl/crypto/lhash/lhash_lcl.h +++ b/deps/openssl/openssl/crypto/lhash/lhash_lcl.h @@ -21,7 +21,7 @@ struct lhash_st { /* * some stats are updated on lookup, which callers aren't expecting to have * to take an exclusive lock around. This lock protects them on platforms - * without atomics, and their types are int rather than unsigned long below + * without atomics, and their types are int rather than unsigned long below * so they can be adjusted with CRYPTO_atomic_add. */ CRYPTO_RWLOCK *retrieve_stats_lock; diff --git a/deps/openssl/openssl/crypto/modes/asm/ghash-armv4.pl b/deps/openssl/openssl/crypto/modes/asm/ghash-armv4.pl index 7d880c94a7..1cf14a6c9f 100644 --- a/deps/openssl/openssl/crypto/modes/asm/ghash-armv4.pl +++ b/deps/openssl/openssl/crypto/modes/asm/ghash-armv4.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2010-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -145,6 +145,8 @@ $code=<<___; .text #if defined(__thumb2__) || defined(__clang__) .syntax unified +#define ldrplb ldrbpl +#define ldrneb ldrbne #endif #if defined(__thumb2__) .thumb @@ -152,11 +154,6 @@ $code=<<___; .code 32 #endif -#ifdef __clang__ -#define ldrplb ldrbpl -#define ldrneb ldrbne -#endif - .type rem_4bit,%object .align 5 rem_4bit: diff --git a/deps/openssl/openssl/crypto/modes/asm/ghashv8-armx.pl b/deps/openssl/openssl/crypto/modes/asm/ghashv8-armx.pl index dcd5f595d2..e13c709019 100644 --- a/deps/openssl/openssl/crypto/modes/asm/ghashv8-armx.pl +++ b/deps/openssl/openssl/crypto/modes/asm/ghashv8-armx.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -64,6 +64,7 @@ my ($t0,$t1,$t2,$xC2,$H,$Hhl,$H2)=map("q$_",(8..14)); $code=<<___; #include "arm_arch.h" +#if __ARM_MAX_ARCH__>=7 .text ___ $code.=".arch armv8-a+crypto\n" if ($flavour =~ /64/); @@ -351,6 +352,7 @@ ___ $code.=<<___; .asciz "GHASH for ARMv8, CRYPTOGAMS by <appro\@openssl.org>" .align 2 +#endif ___ if ($flavour =~ /64/) { ######## 64-bit code diff --git a/deps/openssl/openssl/crypto/modes/build.info b/deps/openssl/openssl/crypto/modes/build.info index b794c5041a..38195c44a5 100644 --- a/deps/openssl/openssl/crypto/modes/build.info +++ b/deps/openssl/openssl/crypto/modes/build.info @@ -19,8 +19,6 @@ GENERATE[ghash-armv4.S]=asm/ghash-armv4.pl $(PERLASM_SCHEME) INCLUDE[ghash-armv4.o]=.. GENERATE[ghashv8-armx.S]=asm/ghashv8-armx.pl $(PERLASM_SCHEME) INCLUDE[ghashv8-armx.o]=.. -GENERATE[ghash-s390x.S]=asm/ghash-s390x.pl $(PERLASM_SCHEME) -INCLUDE[ghash-s390x.o]=.. BEGINRAW[Makefile] # GNU make "catch all" diff --git a/deps/openssl/openssl/crypto/modes/modes_lcl.h b/deps/openssl/openssl/crypto/modes/modes_lcl.h index 7a1603bf90..4fc32e190f 100644 --- a/deps/openssl/openssl/crypto/modes/modes_lcl.h +++ b/deps/openssl/openssl/crypto/modes/modes_lcl.h @@ -1,5 +1,5 @@ /* - * Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2010-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -174,12 +174,13 @@ struct ocb128_context { OCB_BLOCK l_dollar; OCB_BLOCK *l; /* Must be reset for each session */ - u64 blocks_hashed; - u64 blocks_processed; - OCB_BLOCK tag; - OCB_BLOCK offset_aad; - OCB_BLOCK sum; - OCB_BLOCK offset; - OCB_BLOCK checksum; + struct { + u64 blocks_hashed; + u64 blocks_processed; + OCB_BLOCK offset_aad; + OCB_BLOCK sum; + OCB_BLOCK offset; + OCB_BLOCK checksum; + } sess; }; #endif /* OPENSSL_NO_OCB */ diff --git a/deps/openssl/openssl/crypto/modes/ocb128.c b/deps/openssl/openssl/crypto/modes/ocb128.c index db794d0854..fc92b246bd 100644 --- a/deps/openssl/openssl/crypto/modes/ocb128.c +++ b/deps/openssl/openssl/crypto/modes/ocb128.c @@ -1,5 +1,5 @@ /* - * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -236,6 +236,9 @@ int CRYPTO_ocb128_setiv(OCB128_CONTEXT *ctx, const unsigned char *iv, return -1; } + /* Reset nonce-dependent variables */ + memset(&ctx->sess, 0, sizeof(ctx->sess)); + /* Nonce = num2str(TAGLEN mod 128,7) || zeros(120-bitlen(N)) || 1 || N */ nonce[0] = ((taglen * 8) % 128) << 1; memset(nonce + 1, 0, 15); @@ -256,10 +259,10 @@ int CRYPTO_ocb128_setiv(OCB128_CONTEXT *ctx, const unsigned char *iv, /* Offset_0 = Stretch[1+bottom..128+bottom] */ shift = bottom % 8; - ocb_block_lshift(stretch + (bottom / 8), shift, ctx->offset.c); + ocb_block_lshift(stretch + (bottom / 8), shift, ctx->sess.offset.c); mask = 0xff; mask <<= 8 - shift; - ctx->offset.c[15] |= + ctx->sess.offset.c[15] |= (*(stretch + (bottom / 8) + 16) & mask) >> (8 - shift); return 1; @@ -278,25 +281,25 @@ int CRYPTO_ocb128_aad(OCB128_CONTEXT *ctx, const unsigned char *aad, /* Calculate the number of blocks of AAD provided now, and so far */ num_blocks = len / 16; - all_num_blocks = num_blocks + ctx->blocks_hashed; + all_num_blocks = num_blocks + ctx->sess.blocks_hashed; /* Loop through all full blocks of AAD */ - for (i = ctx->blocks_hashed + 1; i <= all_num_blocks; i++) { + for (i = ctx->sess.blocks_hashed + 1; i <= all_num_blocks; i++) { OCB_BLOCK *lookup; /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ lookup = ocb_lookup_l(ctx, ocb_ntz(i)); if (lookup == NULL) return 0; - ocb_block16_xor(&ctx->offset_aad, lookup, &ctx->offset_aad); + ocb_block16_xor(&ctx->sess.offset_aad, lookup, &ctx->sess.offset_aad); memcpy(tmp.c, aad, 16); aad += 16; /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ - ocb_block16_xor(&ctx->offset_aad, &tmp, &tmp); + ocb_block16_xor(&ctx->sess.offset_aad, &tmp, &tmp); ctx->encrypt(tmp.c, tmp.c, ctx->keyenc); - ocb_block16_xor(&tmp, &ctx->sum, &ctx->sum); + ocb_block16_xor(&tmp, &ctx->sess.sum, &ctx->sess.sum); } /* @@ -307,20 +310,21 @@ int CRYPTO_ocb128_aad(OCB128_CONTEXT *ctx, const unsigned char *aad, if (last_len > 0) { /* Offset_* = Offset_m xor L_* */ - ocb_block16_xor(&ctx->offset_aad, &ctx->l_star, &ctx->offset_aad); + ocb_block16_xor(&ctx->sess.offset_aad, &ctx->l_star, + &ctx->sess.offset_aad); /* CipherInput = (A_* || 1 || zeros(127-bitlen(A_*))) xor Offset_* */ memset(tmp.c, 0, 16); memcpy(tmp.c, aad, last_len); tmp.c[last_len] = 0x80; - ocb_block16_xor(&ctx->offset_aad, &tmp, &tmp); + ocb_block16_xor(&ctx->sess.offset_aad, &tmp, &tmp); /* Sum = Sum_m xor ENCIPHER(K, CipherInput) */ ctx->encrypt(tmp.c, tmp.c, ctx->keyenc); - ocb_block16_xor(&tmp, &ctx->sum, &ctx->sum); + ocb_block16_xor(&tmp, &ctx->sess.sum, &ctx->sess.sum); } - ctx->blocks_hashed = all_num_blocks; + ctx->sess.blocks_hashed = all_num_blocks; return 1; } @@ -341,7 +345,7 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx, * so far */ num_blocks = len / 16; - all_num_blocks = num_blocks + ctx->blocks_processed; + all_num_blocks = num_blocks + ctx->sess.blocks_processed; if (num_blocks && all_num_blocks == (size_t)all_num_blocks && ctx->stream != NULL) { @@ -357,11 +361,11 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx, return 0; ctx->stream(in, out, num_blocks, ctx->keyenc, - (size_t)ctx->blocks_processed + 1, ctx->offset.c, - (const unsigned char (*)[16])ctx->l, ctx->checksum.c); + (size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c, + (const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c); } else { /* Loop through all full blocks to be encrypted */ - for (i = ctx->blocks_processed + 1; i <= all_num_blocks; i++) { + for (i = ctx->sess.blocks_processed + 1; i <= all_num_blocks; i++) { OCB_BLOCK *lookup; OCB_BLOCK tmp; @@ -369,18 +373,18 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx, lookup = ocb_lookup_l(ctx, ocb_ntz(i)); if (lookup == NULL) return 0; - ocb_block16_xor(&ctx->offset, lookup, &ctx->offset); + ocb_block16_xor(&ctx->sess.offset, lookup, &ctx->sess.offset); memcpy(tmp.c, in, 16); in += 16; /* Checksum_i = Checksum_{i-1} xor P_i */ - ocb_block16_xor(&tmp, &ctx->checksum, &ctx->checksum); + ocb_block16_xor(&tmp, &ctx->sess.checksum, &ctx->sess.checksum); /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */ - ocb_block16_xor(&ctx->offset, &tmp, &tmp); + ocb_block16_xor(&ctx->sess.offset, &tmp, &tmp); ctx->encrypt(tmp.c, tmp.c, ctx->keyenc); - ocb_block16_xor(&ctx->offset, &tmp, &tmp); + ocb_block16_xor(&ctx->sess.offset, &tmp, &tmp); memcpy(out, tmp.c, 16); out += 16; @@ -397,10 +401,10 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx, OCB_BLOCK pad; /* Offset_* = Offset_m xor L_* */ - ocb_block16_xor(&ctx->offset, &ctx->l_star, &ctx->offset); + ocb_block16_xor(&ctx->sess.offset, &ctx->l_star, &ctx->sess.offset); /* Pad = ENCIPHER(K, Offset_*) */ - ctx->encrypt(ctx->offset.c, pad.c, ctx->keyenc); + ctx->encrypt(ctx->sess.offset.c, pad.c, ctx->keyenc); /* C_* = P_* xor Pad[1..bitlen(P_*)] */ ocb_block_xor(in, pad.c, last_len, out); @@ -409,10 +413,10 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx, memset(pad.c, 0, 16); /* borrow pad */ memcpy(pad.c, in, last_len); pad.c[last_len] = 0x80; - ocb_block16_xor(&pad, &ctx->checksum, &ctx->checksum); + ocb_block16_xor(&pad, &ctx->sess.checksum, &ctx->sess.checksum); } - ctx->blocks_processed = all_num_blocks; + ctx->sess.blocks_processed = all_num_blocks; return 1; } @@ -433,7 +437,7 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx, * so far */ num_blocks = len / 16; - all_num_blocks = num_blocks + ctx->blocks_processed; + all_num_blocks = num_blocks + ctx->sess.blocks_processed; if (num_blocks && all_num_blocks == (size_t)all_num_blocks && ctx->stream != NULL) { @@ -449,30 +453,30 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx, return 0; ctx->stream(in, out, num_blocks, ctx->keydec, - (size_t)ctx->blocks_processed + 1, ctx->offset.c, - (const unsigned char (*)[16])ctx->l, ctx->checksum.c); + (size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c, + (const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c); } else { OCB_BLOCK tmp; /* Loop through all full blocks to be decrypted */ - for (i = ctx->blocks_processed + 1; i <= all_num_blocks; i++) { + for (i = ctx->sess.blocks_processed + 1; i <= all_num_blocks; i++) { /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ OCB_BLOCK *lookup = ocb_lookup_l(ctx, ocb_ntz(i)); if (lookup == NULL) return 0; - ocb_block16_xor(&ctx->offset, lookup, &ctx->offset); + ocb_block16_xor(&ctx->sess.offset, lookup, &ctx->sess.offset); memcpy(tmp.c, in, 16); in += 16; /* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */ - ocb_block16_xor(&ctx->offset, &tmp, &tmp); + ocb_block16_xor(&ctx->sess.offset, &tmp, &tmp); ctx->decrypt(tmp.c, tmp.c, ctx->keydec); - ocb_block16_xor(&ctx->offset, &tmp, &tmp); + ocb_block16_xor(&ctx->sess.offset, &tmp, &tmp); /* Checksum_i = Checksum_{i-1} xor P_i */ - ocb_block16_xor(&tmp, &ctx->checksum, &ctx->checksum); + ocb_block16_xor(&tmp, &ctx->sess.checksum, &ctx->sess.checksum); memcpy(out, tmp.c, 16); out += 16; @@ -489,10 +493,10 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx, OCB_BLOCK pad; /* Offset_* = Offset_m xor L_* */ - ocb_block16_xor(&ctx->offset, &ctx->l_star, &ctx->offset); + ocb_block16_xor(&ctx->sess.offset, &ctx->l_star, &ctx->sess.offset); /* Pad = ENCIPHER(K, Offset_*) */ - ctx->encrypt(ctx->offset.c, pad.c, ctx->keyenc); + ctx->encrypt(ctx->sess.offset.c, pad.c, ctx->keyenc); /* P_* = C_* xor Pad[1..bitlen(C_*)] */ ocb_block_xor(in, pad.c, last_len, out); @@ -501,39 +505,46 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx, memset(pad.c, 0, 16); /* borrow pad */ memcpy(pad.c, out, last_len); pad.c[last_len] = 0x80; - ocb_block16_xor(&pad, &ctx->checksum, &ctx->checksum); + ocb_block16_xor(&pad, &ctx->sess.checksum, &ctx->sess.checksum); } - ctx->blocks_processed = all_num_blocks; + ctx->sess.blocks_processed = all_num_blocks; return 1; } -/* - * Calculate the tag and verify it against the supplied tag - */ -int CRYPTO_ocb128_finish(OCB128_CONTEXT *ctx, const unsigned char *tag, - size_t len) +static int ocb_finish(OCB128_CONTEXT *ctx, unsigned char *tag, size_t len, + int write) { OCB_BLOCK tmp; + if (len > 16 || len < 1) { + return -1; + } + /* * Tag = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) xor HASH(K,A) */ - ocb_block16_xor(&ctx->checksum, &ctx->offset, &tmp); + ocb_block16_xor(&ctx->sess.checksum, &ctx->sess.offset, &tmp); ocb_block16_xor(&ctx->l_dollar, &tmp, &tmp); ctx->encrypt(tmp.c, tmp.c, ctx->keyenc); - ocb_block16_xor(&tmp, &ctx->sum, &ctx->tag); + ocb_block16_xor(&tmp, &ctx->sess.sum, &tmp); - if (len > 16 || len < 1) { - return -1; + if (write) { + memcpy(tag, &tmp, len); + return 1; + } else { + return CRYPTO_memcmp(&tmp, tag, len); } +} - /* Compare the tag if we've been given one */ - if (tag) - return CRYPTO_memcmp(&ctx->tag, tag, len); - else - return -1; +/* + * Calculate the tag and verify it against the supplied tag + */ +int CRYPTO_ocb128_finish(OCB128_CONTEXT *ctx, const unsigned char *tag, + size_t len) +{ + return ocb_finish(ctx, (unsigned char*)tag, len, 0); } /* @@ -541,17 +552,7 @@ int CRYPTO_ocb128_finish(OCB128_CONTEXT *ctx, const unsigned char *tag, */ int CRYPTO_ocb128_tag(OCB128_CONTEXT *ctx, unsigned char *tag, size_t len) { - if (len > 16 || len < 1) { - return -1; - } - - /* Calculate the tag */ - CRYPTO_ocb128_finish(ctx, NULL, 0); - - /* Copy the tag into the supplied buffer */ - memcpy(tag, ctx->tag.c, len); - - return 1; + return ocb_finish(ctx, tag, len, 1); } /* diff --git a/deps/openssl/openssl/crypto/o_fopen.c b/deps/openssl/openssl/crypto/o_fopen.c index a3a006574d..bfd5af1151 100644 --- a/deps/openssl/openssl/crypto/o_fopen.c +++ b/deps/openssl/openssl/crypto/o_fopen.c @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,6 +7,24 @@ * https://www.openssl.org/source/license.html */ +# if defined(__linux) || defined(__sun) || defined(__hpux) +/* + * Following definition aliases fopen to fopen64 on above mentioned + * platforms. This makes it possible to open and sequentially access files + * larger than 2GB from 32-bit application. It does not allow to traverse + * them beyond 2GB with fseek/ftell, but on the other hand *no* 32-bit + * platform permits that, not with fseek/ftell. Not to mention that breaking + * 2GB limit for seeking would require surgery to *our* API. But sequential + * access suffices for practical cases when you can run into large files, + * such as fingerprinting, so we can let API alone. For reference, the list + * of 32-bit platforms which allow for sequential access of large files + * without extra "magic" comprise *BSD, Darwin, IRIX... + */ +# ifndef _FILE_OFFSET_BITS +# define _FILE_OFFSET_BITS 64 +# endif +# endif + #include "internal/cryptlib.h" #if !defined(OPENSSL_NO_STDIO) diff --git a/deps/openssl/openssl/crypto/o_time.c b/deps/openssl/openssl/crypto/o_time.c index b2fb38a541..6d764f55e2 100644 --- a/deps/openssl/openssl/crypto/o_time.c +++ b/deps/openssl/openssl/crypto/o_time.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -41,6 +41,10 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result) if (gmtime_r(timer, result) == NULL) return NULL; ts = result; +#elif defined (OPENSSL_SYS_WINDOWS) && defined(_MSC_VER) && _MSC_VER >= 1400 + if (gmtime_s(result, timer)) + return NULL; + ts = result; #else ts = gmtime(timer); if (ts == NULL) diff --git a/deps/openssl/openssl/crypto/objects/o_names.c b/deps/openssl/openssl/crypto/objects/o_names.c index e06d5439f2..15fe653d09 100644 --- a/deps/openssl/openssl/crypto/objects/o_names.c +++ b/deps/openssl/openssl/crypto/objects/o_names.c @@ -202,7 +202,7 @@ const char *OBJ_NAME_get(const char *name, int type) } } - CRYPTO_THREAD_unlock(lock); + CRYPTO_THREAD_unlock(lock); return value; } @@ -212,7 +212,7 @@ int OBJ_NAME_add(const char *name, int type, const char *data) int alias, ok = 0; if (!OBJ_NAME_init()) - return 0; + return 0; CRYPTO_THREAD_write_lock(lock); diff --git a/deps/openssl/openssl/crypto/objects/objects.txt b/deps/openssl/openssl/crypto/objects/objects.txt index f1da8071ad..fc0781d1c9 100644 --- a/deps/openssl/openssl/crypto/objects/objects.txt +++ b/deps/openssl/openssl/crypto/objects/objects.txt @@ -1482,3 +1482,4 @@ id-pkinit 5 : pkInitKDC : Signing KDC Response : AuthGOST12 : auth-gost12 : AuthSRP : auth-srp : AuthNULL : auth-null + diff --git a/deps/openssl/openssl/crypto/pem/pem_lib.c b/deps/openssl/openssl/crypto/pem/pem_lib.c index e9202f44ae..6f06c5291f 100644 --- a/deps/openssl/openssl/crypto/pem/pem_lib.c +++ b/deps/openssl/openssl/crypto/pem/pem_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -28,23 +28,23 @@ static int load_iv(char **fromp, unsigned char *to, int num); static int check_pem(const char *nm, const char *name); int pem_check_suffix(const char *pem_str, const char *suffix); -int PEM_def_callback(char *buf, int num, int w, void *key) +int PEM_def_callback(char *buf, int num, int rwflag, void *userdata) { -#if defined(OPENSSL_NO_STDIO) || defined(OPENSSL_NO_UI) int i; -#else - int i, j; +#ifndef OPENSSL_NO_UI + int min_len; const char *prompt; #endif - if (key) { - i = strlen(key); + /* We assume that the user passes a default password as userdata */ + if (userdata) { + i = strlen(userdata); i = (i > num) ? num : i; - memcpy(buf, key, i); + memcpy(buf, userdata, i); return i; } -#if defined(OPENSSL_NO_STDIO) || defined(OPENSSL_NO_UI) +#ifdef OPENSSL_NO_UI PEMerr(PEM_F_PEM_DEF_CALLBACK, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return -1; #else @@ -52,28 +52,22 @@ int PEM_def_callback(char *buf, int num, int w, void *key) if (prompt == NULL) prompt = "Enter PEM pass phrase:"; - for (;;) { - /* - * We assume that w == 0 means decryption, - * while w == 1 means encryption - */ - int min_len = w ? MIN_LENGTH : 0; + /* + * rwflag == 0 means decryption + * rwflag == 1 means encryption + * + * We assume that for encryption, we want a minimum length, while for + * decryption, we cannot know any minimum length, so we assume zero. + */ + min_len = rwflag ? MIN_LENGTH : 0; - i = EVP_read_pw_string_min(buf, min_len, num, prompt, w); - if (i != 0) { - PEMerr(PEM_F_PEM_DEF_CALLBACK, PEM_R_PROBLEMS_GETTING_PASSWORD); - memset(buf, 0, (unsigned int)num); - return -1; - } - j = strlen(buf); - if (min_len && j < min_len) { - fprintf(stderr, - "phrase is too short, needs to be at least %d chars\n", - min_len); - } else - break; + i = EVP_read_pw_string_min(buf, min_len, num, prompt, rwflag); + if (i != 0) { + PEMerr(PEM_F_PEM_DEF_CALLBACK, PEM_R_PROBLEMS_GETTING_PASSWORD); + memset(buf, 0, (unsigned int)num); + return -1; } - return j; + return strlen(buf); #endif } @@ -414,7 +408,7 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen, keylen = PEM_def_callback(buf, PEM_BUFSIZE, 0, u); else keylen = callback(buf, PEM_BUFSIZE, 0, u); - if (keylen <= 0) { + if (keylen < 0) { PEMerr(PEM_F_PEM_DO_HEADER, PEM_R_BAD_PASSWORD_READ); return 0; } @@ -472,6 +466,7 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher) char *dekinfostart, c; cipher->cipher = NULL; + memset(cipher->iv, 0, sizeof(cipher->iv)); if ((header == NULL) || (*header == '\0') || (*header == '\n')) return 1; diff --git a/deps/openssl/openssl/crypto/pem/pem_pk8.c b/deps/openssl/openssl/crypto/pem/pem_pk8.c index 5caad9faab..a8363b39b9 100644 --- a/deps/openssl/openssl/crypto/pem/pem_pk8.c +++ b/deps/openssl/openssl/crypto/pem/pem_pk8.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -124,7 +124,7 @@ EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, klen = cb(psbuf, PEM_BUFSIZE, 0, u); else klen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u); - if (klen <= 0) { + if (klen < 0) { PEMerr(PEM_F_D2I_PKCS8PRIVATEKEY_BIO, PEM_R_BAD_PASSWORD_READ); X509_SIG_free(p8); return NULL; diff --git a/deps/openssl/openssl/crypto/pem/pem_pkey.c b/deps/openssl/openssl/crypto/pem/pem_pkey.c index 671b374f36..7dadc1391c 100644 --- a/deps/openssl/openssl/crypto/pem/pem_pkey.c +++ b/deps/openssl/openssl/crypto/pem/pem_pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -59,7 +59,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, klen = cb(psbuf, PEM_BUFSIZE, 0, u); else klen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u); - if (klen <= 0) { + if (klen < 0) { PEMerr(PEM_F_PEM_READ_BIO_PRIVATEKEY, PEM_R_BAD_PASSWORD_READ); X509_SIG_free(p8); goto err; diff --git a/deps/openssl/openssl/crypto/pem/pvkfmt.c b/deps/openssl/openssl/crypto/pem/pvkfmt.c index d0a423957c..63ce925963 100644 --- a/deps/openssl/openssl/crypto/pem/pvkfmt.c +++ b/deps/openssl/openssl/crypto/pem/pvkfmt.c @@ -685,7 +685,7 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in, inlen = cb(psbuf, PEM_BUFSIZE, 0, u); else inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u); - if (inlen <= 0) { + if (inlen < 0) { PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_PASSWORD_READ); goto err; } diff --git a/deps/openssl/openssl/crypto/perlasm/README b/deps/openssl/openssl/crypto/perlasm/README index 15f139d354..e90bd8e014 100644 --- a/deps/openssl/openssl/crypto/perlasm/README +++ b/deps/openssl/openssl/crypto/perlasm/README @@ -61,7 +61,7 @@ So a very simple version of this function could be coded as push(@INC,"perlasm","../../perlasm"); require "x86asm.pl"; - + &asm_init($ARGV[0],"cacl.pl"); &external_label("other"); @@ -121,3 +121,4 @@ void BF_cbc_encrypt(unsigned char *in, unsigned char *out, long length, &cbc("des_ncbc_encrypt","des_encrypt","des_encrypt",0,4,5,3,5,-1); &cbc("des_ede3_cbc_encrypt","des_encrypt3","des_decrypt3",0,6,7,3,4,5); + diff --git a/deps/openssl/openssl/crypto/pkcs12/p12_asn.c b/deps/openssl/openssl/crypto/pkcs12/p12_asn.c index f2bfe32ebd..422dfc398f 100644 --- a/deps/openssl/openssl/crypto/pkcs12/p12_asn.c +++ b/deps/openssl/openssl/crypto/pkcs12/p12_asn.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -51,7 +51,7 @@ ASN1_ADB_TEMPLATE(safebag_default) = ASN1_EXP(PKCS12_SAFEBAG, value.other, ASN1_ ASN1_ADB(PKCS12_SAFEBAG) = { ADB_ENTRY(NID_keyBag, ASN1_EXP(PKCS12_SAFEBAG, value.keybag, PKCS8_PRIV_KEY_INFO, 0)), ADB_ENTRY(NID_pkcs8ShroudedKeyBag, ASN1_EXP(PKCS12_SAFEBAG, value.shkeybag, X509_SIG, 0)), - ADB_ENTRY(NID_safeContentsBag, ASN1_EXP_SET_OF(PKCS12_SAFEBAG, value.safes, PKCS12_SAFEBAG, 0)), + ADB_ENTRY(NID_safeContentsBag, ASN1_EXP_SEQUENCE_OF(PKCS12_SAFEBAG, value.safes, PKCS12_SAFEBAG, 0)), ADB_ENTRY(NID_certBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)), ADB_ENTRY(NID_crlBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)), ADB_ENTRY(NID_secretBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)) diff --git a/deps/openssl/openssl/crypto/poly1305/asm/poly1305-armv4.pl b/deps/openssl/openssl/crypto/poly1305/asm/poly1305-armv4.pl index fc899ced86..5cdb6be059 100755 --- a/deps/openssl/openssl/crypto/poly1305/asm/poly1305-armv4.pl +++ b/deps/openssl/openssl/crypto/poly1305/asm/poly1305-armv4.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -186,6 +186,7 @@ $code.=<<___; .type poly1305_blocks,%function .align 5 poly1305_blocks: +.Lpoly1305_blocks: stmdb sp!,{r3-r11,lr} ands $len,$len,#-16 @@ -677,7 +678,7 @@ poly1305_blocks_neon: cmp $len,#64 bhs .Lenter_neon tst ip,ip @ is_base2_26? - beq poly1305_blocks + beq .Lpoly1305_blocks .Lenter_neon: stmdb sp!,{r4-r7} diff --git a/deps/openssl/openssl/crypto/poly1305/asm/poly1305-mips.pl b/deps/openssl/openssl/crypto/poly1305/asm/poly1305-mips.pl index 024696a599..d2b3e90d93 100755 --- a/deps/openssl/openssl/crypto/poly1305/asm/poly1305-mips.pl +++ b/deps/openssl/openssl/crypto/poly1305/asm/poly1305-mips.pl @@ -422,3 +422,4 @@ ___ $output=pop and open STDOUT,">$output"; print $code; close STDOUT; + diff --git a/deps/openssl/openssl/crypto/poly1305/asm/poly1305-x86.pl b/deps/openssl/openssl/crypto/poly1305/asm/poly1305-x86.pl index ab24dfcfad..93179e37d5 100755 --- a/deps/openssl/openssl/crypto/poly1305/asm/poly1305-x86.pl +++ b/deps/openssl/openssl/crypto/poly1305/asm/poly1305-x86.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -70,7 +70,7 @@ if ($sse2) { $avx = ($1>=2.09) + ($1>=2.10); } - if (!$avx && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9]\.[0-9]+)/) { + if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9]\.[0-9]+)/) { $avx = ($2>=3.0) + ($2>3.0); } } diff --git a/deps/openssl/openssl/crypto/poly1305/build.info b/deps/openssl/openssl/crypto/poly1305/build.info index f90ce2b950..d575f5a63e 100644 --- a/deps/openssl/openssl/crypto/poly1305/build.info +++ b/deps/openssl/openssl/crypto/poly1305/build.info @@ -13,8 +13,6 @@ INCLUDE[poly1305-armv4.o]=.. GENERATE[poly1305-armv8.S]=asm/poly1305-armv8.pl $(PERLASM_SCHEME) INCLUDE[poly1305-armv8.o]=.. GENERATE[poly1305-mips.S]=asm/poly1305-mips.pl $(PERLASM_SCHEME) -GENERATE[poly1305-s390x.S]=asm/poly1305-s390x.pl $(PERLASM_SCHEME) -INCLUDE[poly1305-s390x.o]=.. BEGINRAW[Makefile(unix)] {- $builddir -}/poly1305-%.S: {- $sourcedir -}/asm/poly1305-%.pl diff --git a/deps/openssl/openssl/crypto/rc4/asm/rc4-c64xplus.pl b/deps/openssl/openssl/crypto/rc4/asm/rc4-c64xplus.pl index 1354d18214..184922c128 100644 --- a/deps/openssl/openssl/crypto/rc4/asm/rc4-c64xplus.pl +++ b/deps/openssl/openssl/crypto/rc4/asm/rc4-c64xplus.pl @@ -89,7 +89,7 @@ _RC4: || NOP 5 STB $XX,*${KEYA}[-2] ; key->x || SUB4 $YY,$TX,$YY -|| BNOP B3 +|| BNOP B3 STB $YY,*${KEYB}[-1] ; key->y || NOP 5 .endasmfunc diff --git a/deps/openssl/openssl/crypto/rc4/build.info b/deps/openssl/openssl/crypto/rc4/build.info index 000fd6bc0d..8659526d71 100644 --- a/deps/openssl/openssl/crypto/rc4/build.info +++ b/deps/openssl/openssl/crypto/rc4/build.info @@ -10,8 +10,6 @@ GENERATE[rc4-md5-x86_64.s]=asm/rc4-md5-x86_64.pl $(PERLASM_SCHEME) GENERATE[rc4-parisc.s]=asm/rc4-parisc.pl $(PERLASM_SCHEME) -GENERATE[rc4-s390x.s]=asm/rc4-s390x.pl $(PERLASM_SCHEME) - BEGINRAW[makefile(windows)] {- $builddir -}\rc4-ia64.asm: {- $sourcedir -}\asm\rc4-ia64.pl $(PERL) {- $sourcedir -}\asm\rc4-ia64.pl $@.S diff --git a/deps/openssl/openssl/crypto/rsa/rsa_gen.c b/deps/openssl/openssl/crypto/rsa/rsa_gen.c index 9af43e0586..79f77e3eaf 100644 --- a/deps/openssl/openssl/crypto/rsa/rsa_gen.c +++ b/deps/openssl/openssl/crypto/rsa/rsa_gen.c @@ -89,6 +89,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, if (BN_copy(rsa->e, e_value) == NULL) goto err; + BN_set_flags(rsa->p, BN_FLG_CONSTTIME); + BN_set_flags(rsa->q, BN_FLG_CONSTTIME); BN_set_flags(r2, BN_FLG_CONSTTIME); /* generate p and q */ for (;;) { diff --git a/deps/openssl/openssl/crypto/rsa/rsa_meth.c b/deps/openssl/openssl/crypto/rsa/rsa_meth.c index be84923b34..83de5540d0 100644 --- a/deps/openssl/openssl/crypto/rsa/rsa_meth.c +++ b/deps/openssl/openssl/crypto/rsa/rsa_meth.c @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -75,7 +75,7 @@ int RSA_meth_set1_name(RSA_METHOD *meth, const char *name) return 1; } -int RSA_meth_get_flags(RSA_METHOD *meth) +int RSA_meth_get_flags(const RSA_METHOD *meth) { return meth->flags; } @@ -270,3 +270,4 @@ int RSA_meth_set_keygen(RSA_METHOD *meth, meth->rsa_keygen = keygen; return 1; } + diff --git a/deps/openssl/openssl/crypto/rsa/rsa_oaep.c b/deps/openssl/openssl/crypto/rsa/rsa_oaep.c index 4878d495fe..f3135198a3 100644 --- a/deps/openssl/openssl/crypto/rsa/rsa_oaep.c +++ b/deps/openssl/openssl/crypto/rsa/rsa_oaep.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -155,32 +155,40 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, dblen = num - mdlen - 1; db = OPENSSL_malloc(dblen); - em = OPENSSL_malloc(num); - if (db == NULL || em == NULL) { + if (db == NULL) { RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE); goto cleanup; } - /* - * Always do this zero-padding copy (even when num == flen) to avoid - * leaking that information. The copy still leaks some side-channel - * information, but it's impossible to have a fixed memory access - * pattern since we can't read out of the bounds of |from|. - * - * TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL. - */ - memset(em, 0, num); - memcpy(em + num - flen, from, flen); + if (flen != num) { + em = OPENSSL_zalloc(num); + if (em == NULL) { + RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, + ERR_R_MALLOC_FAILURE); + goto cleanup; + } + + /* + * Caller is encouraged to pass zero-padded message created with + * BN_bn2binpad, but if it doesn't, we do this zero-padding copy + * to avoid leaking that information. The copy still leaks some + * side-channel information, but it's impossible to have a fixed + * memory access pattern since we can't read out of the bounds of + * |from|. + */ + memcpy(em + num - flen, from, flen); + from = em; + } /* * The first byte must be zero, however we must not leak if this is * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001). */ - good = constant_time_is_zero(em[0]); + good = constant_time_is_zero(from[0]); - maskedseed = em + 1; - maskeddb = em + 1 + mdlen; + maskedseed = from + 1; + maskeddb = from + 1 + mdlen; if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) goto cleanup; diff --git a/deps/openssl/openssl/crypto/rsa/rsa_ossl.c b/deps/openssl/openssl/crypto/rsa/rsa_ossl.c index 62a88959fa..36c4e42a0f 100644 --- a/deps/openssl/openssl/crypto/rsa/rsa_ossl.c +++ b/deps/openssl/openssl/crypto/rsa/rsa_ossl.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -62,7 +62,7 @@ static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { BIGNUM *f, *ret; - int i, j, k, num = 0, r = -1; + int i, num = 0, r = -1; unsigned char *buf = NULL; BN_CTX *ctx = NULL; @@ -136,15 +136,10 @@ static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, goto err; /* - * put in leading 0 bytes if the number is less than the length of the - * modulus + * BN_bn2binpad puts in leading 0 bytes if the number is less than + * the length of the modulus. */ - j = BN_num_bytes(ret); - i = BN_bn2bin(ret, &(to[num - j])); - for (k = 0; k < (num - i); k++) - to[k] = 0; - - r = num; + r = BN_bn2binpad(ret, to, num); err: if (ctx != NULL) BN_CTX_end(ctx); @@ -233,7 +228,7 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { BIGNUM *f, *ret, *res; - int i, j, k, num = 0, r = -1; + int i, num = 0, r = -1; unsigned char *buf = NULL; BN_CTX *ctx = NULL; int local_blinding = 0; @@ -337,7 +332,8 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, goto err; if (padding == RSA_X931_PADDING) { - BN_sub(f, rsa->n, ret); + if (!BN_sub(f, rsa->n, ret)) + goto err; if (BN_cmp(ret, f) > 0) res = f; else @@ -346,15 +342,10 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, res = ret; /* - * put in leading 0 bytes if the number is less than the length of the - * modulus + * BN_bn2binpad puts in leading 0 bytes if the number is less than + * the length of the modulus. */ - j = BN_num_bytes(res); - i = BN_bn2bin(res, &(to[num - j])); - for (k = 0; k < (num - i); k++) - to[k] = 0; - - r = num; + r = BN_bn2binpad(res, to, num); err: if (ctx != NULL) BN_CTX_end(ctx); @@ -368,7 +359,6 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, { BIGNUM *f, *ret; int j, num = 0, r = -1; - unsigned char *p; unsigned char *buf = NULL; BN_CTX *ctx = NULL; int local_blinding = 0; @@ -463,8 +453,7 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) goto err; - p = buf; - j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */ + j = BN_bn2binpad(ret, buf, num); switch (padding) { case RSA_PKCS1_PADDING: @@ -477,7 +466,7 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, r = RSA_padding_check_SSLv23(to, num, buf, j, num); break; case RSA_NO_PADDING: - r = RSA_padding_check_none(to, num, buf, j, num); + memcpy(to, buf, (r = j)); break; default: RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); @@ -500,7 +489,6 @@ static int rsa_ossl_public_decrypt(int flen, const unsigned char *from, { BIGNUM *f, *ret; int i, num = 0, r = -1; - unsigned char *p; unsigned char *buf = NULL; BN_CTX *ctx = NULL; @@ -565,8 +553,7 @@ static int rsa_ossl_public_decrypt(int flen, const unsigned char *from, if (!BN_sub(ret, rsa->n, ret)) goto err; - p = buf; - i = BN_bn2bin(ret, p); + i = BN_bn2binpad(ret, buf, num); switch (padding) { case RSA_PKCS1_PADDING: @@ -576,7 +563,7 @@ static int rsa_ossl_public_decrypt(int flen, const unsigned char *from, r = RSA_padding_check_X931(to, num, buf, i, num); break; case RSA_NO_PADDING: - r = RSA_padding_check_none(to, num, buf, i, num); + memcpy(to, buf, (r = i)); break; default: RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); diff --git a/deps/openssl/openssl/crypto/rsa/rsa_pk1.c b/deps/openssl/openssl/crypto/rsa/rsa_pk1.c index aeeb32c2dc..63d6c3a3b8 100644 --- a/deps/openssl/openssl/crypto/rsa/rsa_pk1.c +++ b/deps/openssl/openssl/crypto/rsa/rsa_pk1.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -175,27 +175,30 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, if (num < 11) goto err; - em = OPENSSL_zalloc(num); - if (em == NULL) { - RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE); - return -1; + if (flen != num) { + em = OPENSSL_zalloc(num); + if (em == NULL) { + RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE); + return -1; + } + /* + * Caller is encouraged to pass zero-padded message created with + * BN_bn2binpad, but if it doesn't, we do this zero-padding copy + * to avoid leaking that information. The copy still leaks some + * side-channel information, but it's impossible to have a fixed + * memory access pattern since we can't read out of the bounds of + * |from|. + */ + memcpy(em + num - flen, from, flen); + from = em; } - /* - * Always do this zero-padding copy (even when num == flen) to avoid - * leaking that information. The copy still leaks some side-channel - * information, but it's impossible to have a fixed memory access - * pattern since we can't read out of the bounds of |from|. - * - * TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL. - */ - memcpy(em + num - flen, from, flen); - good = constant_time_is_zero(em[0]); - good &= constant_time_eq(em[1], 2); + good = constant_time_is_zero(from[0]); + good &= constant_time_eq(from[1], 2); found_zero_byte = 0; for (i = 2; i < num; i++) { - unsigned int equals0 = constant_time_is_zero(em[i]); + unsigned int equals0 = constant_time_is_zero(from[i]); zero_index = constant_time_select_int(~found_zero_byte & equals0, i, zero_index); @@ -203,7 +206,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, } /* - * PS must be at least 8 bytes long, and it starts two bytes into |em|. + * PS must be at least 8 bytes long, and it starts two bytes into |from|. * If we never found a 0-byte, then |zero_index| is 0 and the check * also fails. */ @@ -232,7 +235,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, goto err; } - memcpy(to, em + msg_index, mlen); + memcpy(to, from + msg_index, mlen); err: OPENSSL_clear_free(em, num); diff --git a/deps/openssl/openssl/crypto/rsa/rsa_ssl.c b/deps/openssl/openssl/crypto/rsa/rsa_ssl.c index 9ef6b80ea8..77b28b46f2 100644 --- a/deps/openssl/openssl/crypto/rsa/rsa_ssl.c +++ b/deps/openssl/openssl/crypto/rsa/rsa_ssl.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -63,6 +63,14 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL); return (-1); } + /* Accept even zero-padded input */ + if (flen == num) { + if (*(p++) != 0) { + RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02); + return -1; + } + flen--; + } if ((num != (flen + 1)) || (*(p++) != 02)) { RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02); return (-1); diff --git a/deps/openssl/openssl/crypto/sha/asm/sha1-586.pl b/deps/openssl/openssl/crypto/sha/asm/sha1-586.pl index 5adca23404..cf34b2c293 100644 --- a/deps/openssl/openssl/crypto/sha/asm/sha1-586.pl +++ b/deps/openssl/openssl/crypto/sha/asm/sha1-586.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -141,7 +141,7 @@ $ymm=1 if ($xmm && !$ymm && $ARGV[0] eq "win32" && `ml 2>&1` =~ /Version ([0-9]+)\./ && $1>=10); # first version supporting AVX -$ymm=1 if ($xmm && !$ymm && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9]\.[0-9]+)/ && +$ymm=1 if ($xmm && !$ymm && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9]\.[0-9]+)/ && $2>=3.0); # first version supporting AVX $shaext=$xmm; ### set to zero if compiling for 1.0.1 diff --git a/deps/openssl/openssl/crypto/sha/asm/sha256-586.pl b/deps/openssl/openssl/crypto/sha/asm/sha256-586.pl index 6af1d84beb..72ee0c7b83 100644 --- a/deps/openssl/openssl/crypto/sha/asm/sha256-586.pl +++ b/deps/openssl/openssl/crypto/sha/asm/sha256-586.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -93,7 +93,7 @@ if ($xmm && !$avx && $ARGV[0] eq "win32" && $avx = ($1>=10) + ($1>=11); } -if ($xmm && !$avx && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9]\.[0-9]+)/) { +if ($xmm && !$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9]\.[0-9]+)/) { $avx = ($2>=3.0) + ($2>3.0); } diff --git a/deps/openssl/openssl/crypto/sha/asm/sha256-armv4.pl b/deps/openssl/openssl/crypto/sha/asm/sha256-armv4.pl index 55d30cba3a..edcfc31278 100644 --- a/deps/openssl/openssl/crypto/sha/asm/sha256-armv4.pl +++ b/deps/openssl/openssl/crypto/sha/asm/sha256-armv4.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -254,7 +254,7 @@ for($i=0;$i<16;$i++) { &BODY_00_15($i,@V); unshift(@V,pop(@V)); } $code.=".Lrounds_16_xx:\n"; for (;$i<32;$i++) { &BODY_16_XX($i,@V); unshift(@V,pop(@V)); } $code.=<<___; -#if __ARM_ARCH__>=7 +#ifdef __thumb2__ ite eq @ Thumb2 thing, sanity check in ARM #endif ldreq $t3,[sp,#16*4] @ pull ctx diff --git a/deps/openssl/openssl/crypto/sha/asm/sha512-armv4.pl b/deps/openssl/openssl/crypto/sha/asm/sha512-armv4.pl index 22b5a9d0b1..0b4c5674d9 100644 --- a/deps/openssl/openssl/crypto/sha/asm/sha512-armv4.pl +++ b/deps/openssl/openssl/crypto/sha/asm/sha512-armv4.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -157,7 +157,7 @@ $code.=<<___; teq $t0,#$magic ldr $t3,[sp,#$Coff+0] @ c.lo -#if __ARM_ARCH__>=7 +#ifdef __thumb2__ it eq @ Thumb2 thing, sanity check in ARM #endif orreq $Ktbl,$Ktbl,#1 @@ -411,7 +411,7 @@ $code.=<<___; ___ &BODY_00_15(0x17); $code.=<<___; -#if __ARM_ARCH__>=7 +#ifdef __thumb2__ ittt eq @ Thumb2 thing, sanity check in ARM #endif ldreq $t0,[sp,#`$Xoff+8*(16-1)`+0] diff --git a/deps/openssl/openssl/crypto/sha/build.info b/deps/openssl/openssl/crypto/sha/build.info index 2a00988786..5843e50894 100644 --- a/deps/openssl/openssl/crypto/sha/build.info +++ b/deps/openssl/openssl/crypto/sha/build.info @@ -56,13 +56,6 @@ INCLUDE[sha256-armv8.o]=.. GENERATE[sha512-armv8.S]=asm/sha512-armv8.pl $(PERLASM_SCHEME) INCLUDE[sha512-armv8.o]=.. -GENERATE[sha1-s390x.S]=asm/sha1-s390x.pl $(PERLASM_SCHEME) -INCLUDE[sha1-s390x.o]=.. -GENERATE[sha256-s390x.S]=asm/sha512-s390x.pl $(PERLASM_SCHEME) -INCLUDE[sha256-s390x.o]=.. -GENERATE[sha512-s390x.S]=asm/sha512-s390x.pl $(PERLASM_SCHEME) -INCLUDE[sha512-s390x.o]=.. - BEGINRAW[Makefile(unix)] ##### SHA assembler implementations diff --git a/deps/openssl/openssl/crypto/threads_win.c b/deps/openssl/openssl/crypto/threads_win.c index 4e0de908ee..27334e13f3 100644 --- a/deps/openssl/openssl/crypto/threads_win.c +++ b/deps/openssl/openssl/crypto/threads_win.c @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -98,7 +98,26 @@ int CRYPTO_THREAD_init_local(CRYPTO_THREAD_LOCAL *key, void (*cleanup)(void *)) void *CRYPTO_THREAD_get_local(CRYPTO_THREAD_LOCAL *key) { - return TlsGetValue(*key); + DWORD last_error; + void *ret; + + /* + * TlsGetValue clears the last error even on success, so that callers may + * distinguish it successfully returning NULL or failing. It is documented + * to never fail if the argument is a valid index from TlsAlloc, so we do + * not need to handle this. + * + * However, this error-mangling behavior interferes with the caller's use of + * GetLastError. In particular SSL_get_error queries the error queue to + * determine whether the caller should look at the OS's errors. To avoid + * destroying state, save and restore the Windows error. + * + * https://msdn.microsoft.com/en-us/library/windows/desktop/ms686812(v=vs.85).aspx + */ + last_error = GetLastError(); + ret = TlsGetValue(*key); + SetLastError(last_error); + return ret; } int CRYPTO_THREAD_set_local(CRYPTO_THREAD_LOCAL *key, void *val) diff --git a/deps/openssl/openssl/crypto/ts/ts_lib.c b/deps/openssl/openssl/crypto/ts/ts_lib.c index de36e0e084..ce2e12c593 100644 --- a/deps/openssl/openssl/crypto/ts/ts_lib.c +++ b/deps/openssl/openssl/crypto/ts/ts_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -22,10 +22,9 @@ int TS_ASN1_INTEGER_print_bio(BIO *bio, const ASN1_INTEGER *num) int result = 0; char *hex; - num_bn = BN_new(); + num_bn = ASN1_INTEGER_to_BN(num, NULL); if (num_bn == NULL) return -1; - ASN1_INTEGER_to_BN(num, num_bn); if ((hex = BN_bn2hex(num_bn))) { result = BIO_write(bio, "0x", 2) > 0; result = result && BIO_write(bio, hex, strlen(hex)) > 0; diff --git a/deps/openssl/openssl/crypto/ts/ts_rsp_sign.c b/deps/openssl/openssl/crypto/ts/ts_rsp_sign.c index aea7b922a3..0d714a71b7 100644 --- a/deps/openssl/openssl/crypto/ts/ts_rsp_sign.c +++ b/deps/openssl/openssl/crypto/ts/ts_rsp_sign.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -16,6 +16,7 @@ #include <openssl/objects.h> #include <openssl/ts.h> #include <openssl/pkcs7.h> +#include <openssl/crypto.h> #include "ts_lcl.h" static ASN1_INTEGER *def_serial_cb(struct TS_resp_ctx *, void *); @@ -840,7 +841,7 @@ static ASN1_GENERALIZEDTIME long sec, long usec, unsigned precision) { time_t time_sec = (time_t)sec; - struct tm *tm = NULL; + struct tm *tm = NULL, tm_result; char genTime_str[17 + TS_MAX_CLOCK_PRECISION_DIGITS]; char *p = genTime_str; char *p_end = genTime_str + sizeof(genTime_str); @@ -848,7 +849,7 @@ static ASN1_GENERALIZEDTIME if (precision > TS_MAX_CLOCK_PRECISION_DIGITS) goto err; - if ((tm = gmtime(&time_sec)) == NULL) + if ((tm = OPENSSL_gmtime(&time_sec, &tm_result)) == NULL) goto err; /* diff --git a/deps/openssl/openssl/crypto/ts/ts_rsp_verify.c b/deps/openssl/openssl/crypto/ts/ts_rsp_verify.c index 66f5be6f69..2755dd0ef3 100644 --- a/deps/openssl/openssl/crypto/ts/ts_rsp_verify.c +++ b/deps/openssl/openssl/crypto/ts/ts_rsp_verify.c @@ -480,7 +480,7 @@ static char *ts_get_status_text(STACK_OF(ASN1_UTF8STRING) *text) return result; } -static int ts_check_policy(const ASN1_OBJECT *req_oid, +static int ts_check_policy(const ASN1_OBJECT *req_oid, const TS_TST_INFO *tst_info) { const ASN1_OBJECT *resp_oid = tst_info->policy_id; diff --git a/deps/openssl/openssl/crypto/ui/ui_openssl.c b/deps/openssl/openssl/crypto/ui/ui_openssl.c index 8fa8deca66..bfe93a57f1 100644 --- a/deps/openssl/openssl/crypto/ui/ui_openssl.c +++ b/deps/openssl/openssl/crypto/ui/ui_openssl.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -524,17 +524,13 @@ static int echo_console(UI *ui) { #if defined(TTY_set) && !defined(OPENSSL_SYS_VMS) memcpy(&(tty_new), &(tty_orig), sizeof(tty_orig)); - tty_new.TTY_FLAGS |= ECHO; -#endif - -#if defined(TTY_set) && !defined(OPENSSL_SYS_VMS) if (is_a_tty && (TTY_set(fileno(tty_in), &tty_new) == -1)) return 0; #endif #ifdef OPENSSL_SYS_VMS if (is_a_tty) { tty_new[0] = tty_orig[0]; - tty_new[1] = tty_orig[1] & ~TT$M_NOECHO; + tty_new[1] = tty_orig[1]; tty_new[2] = tty_orig[2]; status = sys$qiow(0, channel, IO$_SETMODE, &iosb, 0, 0, tty_new, 12, 0, 0, 0, 0); @@ -555,7 +551,6 @@ static int echo_console(UI *ui) #if defined(_WIN32) && !defined(_WIN32_WCE) if (is_a_tty) { tty_new = tty_orig; - tty_new |= ENABLE_ECHO_INPUT; SetConsoleMode(GetStdHandle(STD_INPUT_HANDLE), tty_new); } #endif diff --git a/deps/openssl/openssl/crypto/x509/build.info b/deps/openssl/openssl/crypto/x509/build.info index 7fc4b45048..afd0b6134e 100644 --- a/deps/openssl/openssl/crypto/x509/build.info +++ b/deps/openssl/openssl/crypto/x509/build.info @@ -4,7 +4,7 @@ SOURCE[../../libcrypto]=\ x509_obj.c x509_req.c x509spki.c x509_vfy.c \ x509_set.c x509cset.c x509rset.c x509_err.c \ x509name.c x509_v3.c x509_ext.c x509_att.c \ - x509type.c x509_lu.c x_all.c x509_txt.c \ + x509type.c x509_meth.c x509_lu.c x_all.c x509_txt.c \ x509_trs.c by_file.c by_dir.c x509_vpm.c \ x_crl.c t_crl.c x_req.c t_req.c x_x509.c t_x509.c \ x_pubkey.c x_x509a.c x_attrib.c x_exten.c x_name.c diff --git a/deps/openssl/openssl/crypto/x509/by_dir.c b/deps/openssl/openssl/crypto/x509/by_dir.c index 21672a7ef5..a690455729 100644 --- a/deps/openssl/openssl/crypto/x509/by_dir.c +++ b/deps/openssl/openssl/crypto/x509/by_dir.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -111,7 +111,7 @@ static int new_dir(X509_LOOKUP *lu) OPENSSL_free(a); return 0; } - lu->method_data = (char *)a; + lu->method_data = a; return 1; } diff --git a/deps/openssl/openssl/crypto/x509/x509_cmp.c b/deps/openssl/openssl/crypto/x509/x509_cmp.c index 01056356c5..49b0368dfc 100644 --- a/deps/openssl/openssl/crypto/x509/x509_cmp.c +++ b/deps/openssl/openssl/crypto/x509/x509_cmp.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -174,7 +174,7 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) ret = a->canon_enclen - b->canon_enclen; - if (ret) + if (ret != 0 || a->canon_enclen == 0) return ret; return memcmp(a->canon_enc, b->canon_enc, a->canon_enclen); diff --git a/deps/openssl/openssl/crypto/x509/x509_err.c b/deps/openssl/openssl/crypto/x509/x509_err.c index 3f4b8ef0bc..9f91188a76 100644 --- a/deps/openssl/openssl/crypto/x509/x509_err.c +++ b/deps/openssl/openssl/crypto/x509/x509_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -51,6 +51,7 @@ static ERR_STRING_DATA X509_str_functs[] = { {ERR_FUNC(X509_F_X509_LOAD_CERT_CRL_FILE), "X509_load_cert_crl_file"}, {ERR_FUNC(X509_F_X509_LOAD_CERT_FILE), "X509_load_cert_file"}, {ERR_FUNC(X509_F_X509_LOAD_CRL_FILE), "X509_load_crl_file"}, + {ERR_FUNC(X509_F_X509_LOOKUP_METH_NEW), "X509_LOOKUP_meth_new"}, {ERR_FUNC(X509_F_X509_NAME_ADD_ENTRY), "X509_NAME_add_entry"}, {ERR_FUNC(X509_F_X509_NAME_ENTRY_CREATE_BY_NID), "X509_NAME_ENTRY_create_by_NID"}, diff --git a/deps/openssl/openssl/crypto/x509/x509_lcl.h b/deps/openssl/openssl/crypto/x509/x509_lcl.h index 40bd102f70..8a47da4fef 100644 --- a/deps/openssl/openssl/crypto/x509/x509_lcl.h +++ b/deps/openssl/openssl/crypto/x509/x509_lcl.h @@ -1,5 +1,5 @@ /* - * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -67,7 +67,7 @@ struct x509_crl_method_st { }; struct x509_lookup_method_st { - const char *name; + char *name; int (*new_item) (X509_LOOKUP *ctx); void (*free) (X509_LOOKUP *ctx); int (*init) (X509_LOOKUP *ctx); @@ -91,7 +91,7 @@ struct x509_lookup_st { int init; /* have we been started */ int skip; /* don't use us. */ X509_LOOKUP_METHOD *method; /* the functions */ - char *method_data; /* method data */ + void *method_data; /* method data */ X509_STORE *store_ctx; /* who owns us */ }; diff --git a/deps/openssl/openssl/crypto/x509/x509_lu.c b/deps/openssl/openssl/crypto/x509/x509_lu.c index 90f23520f4..e5bea5b276 100644 --- a/deps/openssl/openssl/crypto/x509/x509_lu.c +++ b/deps/openssl/openssl/crypto/x509/x509_lu.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -117,6 +117,23 @@ int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, return ctx->method->get_by_alias(ctx, type, str, len, ret); } +int X509_LOOKUP_set_method_data(X509_LOOKUP *ctx, void *data) +{ + ctx->method_data = data; + return 1; +} + +void *X509_LOOKUP_get_method_data(const X509_LOOKUP *ctx) +{ + return ctx->method_data; +} + +X509_STORE *X509_LOOKUP_get_store(const X509_LOOKUP *ctx) +{ + return ctx->store_ctx; +} + + static int x509_object_cmp(const X509_OBJECT *const *a, const X509_OBJECT *const *b) { @@ -265,6 +282,9 @@ int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type, X509_OBJECT stmp, *tmp; int i, j; + if (ctx == NULL) + return 0; + CRYPTO_THREAD_write_lock(ctx->lock); tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name); CRYPTO_THREAD_unlock(ctx->lock); @@ -290,26 +310,30 @@ int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type, return 1; } -int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) +static int x509_store_add(X509_STORE *ctx, void *x, int crl) { X509_OBJECT *obj; - int ret = 1, added = 1; + int ret = 0, added = 0; if (x == NULL) return 0; obj = X509_OBJECT_new(); if (obj == NULL) return 0; - obj->type = X509_LU_X509; - obj->data.x509 = x; + + if (crl) { + obj->type = X509_LU_CRL; + obj->data.crl = (X509_CRL *)x; + } else { + obj->type = X509_LU_X509; + obj->data.x509 = (X509 *)x; + } X509_OBJECT_up_ref_count(obj); CRYPTO_THREAD_write_lock(ctx->lock); if (X509_OBJECT_retrieve_match(ctx->objs, obj)) { - X509err(X509_F_X509_STORE_ADD_CERT, - X509_R_CERT_ALREADY_IN_HASH_TABLE); - ret = 0; + ret = 1; } else { added = sk_X509_OBJECT_push(ctx->objs, obj); ret = added != 0; @@ -317,46 +341,28 @@ int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) CRYPTO_THREAD_unlock(ctx->lock); - if (!ret) /* obj not pushed */ + if (added == 0) /* obj not pushed */ X509_OBJECT_free(obj); - if (!added) /* on push failure */ - X509err(X509_F_X509_STORE_ADD_CERT, ERR_R_MALLOC_FAILURE); return ret; } -int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x) +int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) { - X509_OBJECT *obj; - int ret = 1, added = 1; - - if (x == NULL) - return 0; - obj = X509_OBJECT_new(); - if (obj == NULL) + if (!x509_store_add(ctx, x, 0)) { + X509err(X509_F_X509_STORE_ADD_CERT, ERR_R_MALLOC_FAILURE); return 0; - obj->type = X509_LU_CRL; - obj->data.crl = x; - X509_OBJECT_up_ref_count(obj); - - CRYPTO_THREAD_write_lock(ctx->lock); - - if (X509_OBJECT_retrieve_match(ctx->objs, obj)) { - X509err(X509_F_X509_STORE_ADD_CRL, X509_R_CERT_ALREADY_IN_HASH_TABLE); - ret = 0; - } else { - added = sk_X509_OBJECT_push(ctx->objs, obj); - ret = added != 0; } + return 1; +} - CRYPTO_THREAD_unlock(ctx->lock); - - if (!ret) /* obj not pushed */ - X509_OBJECT_free(obj); - if (!added) /* on push failure */ +int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x) +{ + if (!x509_store_add(ctx, x, 1)) { X509err(X509_F_X509_STORE_ADD_CRL, ERR_R_MALLOC_FAILURE); - - return ret; + return 0; + } + return 1; } int X509_OBJECT_up_ref_count(X509_OBJECT *a) @@ -403,8 +409,7 @@ X509_OBJECT *X509_OBJECT_new() return ret; } - -void X509_OBJECT_free(X509_OBJECT *a) +static void x509_object_free_internal(X509_OBJECT *a) { if (a == NULL) return; @@ -418,6 +423,33 @@ void X509_OBJECT_free(X509_OBJECT *a) X509_CRL_free(a->data.crl); break; } +} + +int X509_OBJECT_set1_X509(X509_OBJECT *a, X509 *obj) +{ + if (a == NULL || !X509_up_ref(obj)) + return 0; + + x509_object_free_internal(a); + a->type = X509_LU_X509; + a->data.x509 = obj; + return 1; +} + +int X509_OBJECT_set1_X509_CRL(X509_OBJECT *a, X509_CRL *obj) +{ + if (a == NULL || !X509_CRL_up_ref(obj)) + return 0; + + x509_object_free_internal(a); + a->type = X509_LU_CRL; + a->data.crl = obj; + return 1; +} + +void X509_OBJECT_free(X509_OBJECT *a) +{ + x509_object_free_internal(a); OPENSSL_free(a); } @@ -489,6 +521,9 @@ STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) X509 *x; X509_OBJECT *obj; + if (ctx->ctx == NULL) + return NULL; + CRYPTO_THREAD_write_lock(ctx->ctx->lock); idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt); if (idx < 0) { @@ -538,8 +573,10 @@ STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) X509_OBJECT *obj, *xobj = X509_OBJECT_new(); /* Always do lookup to possibly add new CRLs to cache */ - if (sk == NULL || xobj == NULL || - !X509_STORE_CTX_get_by_subject(ctx, X509_LU_CRL, nm, xobj)) { + if (sk == NULL + || xobj == NULL + || ctx->ctx == NULL + || !X509_STORE_CTX_get_by_subject(ctx, X509_LU_CRL, nm, xobj)) { X509_OBJECT_free(xobj); sk_X509_CRL_free(sk); return NULL; @@ -633,6 +670,9 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) } X509_OBJECT_free(obj); + if (ctx->ctx == NULL) + return 0; + /* Else find index of first cert accepted by 'check_issued' */ ret = 0; CRYPTO_THREAD_write_lock(ctx->ctx->lock); diff --git a/deps/openssl/openssl/crypto/x509/x509_meth.c b/deps/openssl/openssl/crypto/x509/x509_meth.c new file mode 100644 index 0000000000..05ed4bf863 --- /dev/null +++ b/deps/openssl/openssl/crypto/x509/x509_meth.c @@ -0,0 +1,166 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <stdio.h> +#include <time.h> +#include <errno.h> + +#include "internal/cryptlib.h" +#include <openssl/asn1.h> +#include <openssl/x509.h> +#include <openssl/ossl_typ.h> +#include "x509_lcl.h" + +X509_LOOKUP_METHOD *X509_LOOKUP_meth_new(const char *name) +{ + X509_LOOKUP_METHOD *method = OPENSSL_zalloc(sizeof(X509_LOOKUP_METHOD)); + + if (method != NULL) { + method->name = OPENSSL_strdup(name); + if (method->name == NULL) { + X509err(X509_F_X509_LOOKUP_METH_NEW, ERR_R_MALLOC_FAILURE); + goto err; + } + } + + return method; + +err: + OPENSSL_free(method); + return NULL; +} + +void X509_LOOKUP_meth_free(X509_LOOKUP_METHOD *method) +{ + if (method != NULL) + OPENSSL_free(method->name); + OPENSSL_free(method); +} + +int X509_LOOKUP_meth_set_new_item(X509_LOOKUP_METHOD *method, + int (*new_item) (X509_LOOKUP *ctx)) +{ + method->new_item = new_item; + return 1; +} + +int (*X509_LOOKUP_meth_get_new_item(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx) +{ + return method->new_item; +} + +int X509_LOOKUP_meth_set_free( + X509_LOOKUP_METHOD *method, + void (*free) (X509_LOOKUP *ctx)) +{ + method->free = free; + return 1; +} + +void (*X509_LOOKUP_meth_get_free(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx) +{ + return method->free; +} + +int X509_LOOKUP_meth_set_init(X509_LOOKUP_METHOD *method, + int (*init) (X509_LOOKUP *ctx)) +{ + method->init = init; + return 1; +} + +int (*X509_LOOKUP_meth_get_init(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx) +{ + return method->init; +} + +int X509_LOOKUP_meth_set_shutdown( + X509_LOOKUP_METHOD *method, + int (*shutdown) (X509_LOOKUP *ctx)) +{ + method->shutdown = shutdown; + return 1; +} + +int (*X509_LOOKUP_meth_get_shutdown(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx) +{ + return method->shutdown; +} + +int X509_LOOKUP_meth_set_ctrl( + X509_LOOKUP_METHOD *method, + X509_LOOKUP_ctrl_fn ctrl) +{ + method->ctrl = ctrl; + return 1; +} + +X509_LOOKUP_ctrl_fn X509_LOOKUP_meth_get_ctrl(const X509_LOOKUP_METHOD *method) +{ + return method->ctrl; +} + +int X509_LOOKUP_meth_set_get_by_subject(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_subject_fn get_by_subject) +{ + method->get_by_subject = get_by_subject; + return 1; +} + +X509_LOOKUP_get_by_subject_fn X509_LOOKUP_meth_get_get_by_subject( + const X509_LOOKUP_METHOD *method) +{ + return method->get_by_subject; +} + + +int X509_LOOKUP_meth_set_get_by_issuer_serial(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_issuer_serial_fn get_by_issuer_serial) +{ + method->get_by_issuer_serial = get_by_issuer_serial; + return 1; +} + +X509_LOOKUP_get_by_issuer_serial_fn + X509_LOOKUP_meth_get_get_by_issuer_serial(const X509_LOOKUP_METHOD *method) +{ + return method->get_by_issuer_serial; +} + + +int X509_LOOKUP_meth_set_get_by_fingerprint(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_fingerprint_fn get_by_fingerprint) +{ + method->get_by_fingerprint = get_by_fingerprint; + return 1; +} + +X509_LOOKUP_get_by_fingerprint_fn X509_LOOKUP_meth_get_get_by_fingerprint( + const X509_LOOKUP_METHOD *method) +{ + return method->get_by_fingerprint; +} + +int X509_LOOKUP_meth_set_get_by_alias(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_alias_fn get_by_alias) +{ + method->get_by_alias = get_by_alias; + return 1; +} + +X509_LOOKUP_get_by_alias_fn X509_LOOKUP_meth_get_get_by_alias( + const X509_LOOKUP_METHOD *method) +{ + return method->get_by_alias; +} + diff --git a/deps/openssl/openssl/crypto/x509/x509_vfy.c b/deps/openssl/openssl/crypto/x509/x509_vfy.c index 3018c69ae4..f86871f6d2 100644 --- a/deps/openssl/openssl/crypto/x509/x509_vfy.c +++ b/deps/openssl/openssl/crypto/x509/x509_vfy.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,6 +7,7 @@ * https://www.openssl.org/source/license.html */ +#include <ctype.h> #include <stdio.h> #include <time.h> #include <errno.h> @@ -557,6 +558,27 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) return 1; } +static int has_san_id(X509 *x, int gtype) +{ + int i; + int ret = 0; + GENERAL_NAMES *gs = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); + + if (gs == NULL) + return 0; + + for (i = 0; i < sk_GENERAL_NAME_num(gs); i++) { + GENERAL_NAME *g = sk_GENERAL_NAME_value(gs, i); + + if (g->type == gtype) { + ret = 1; + break; + } + } + GENERAL_NAMES_free(gs); + return ret; +} + static int check_name_constraints(X509_STORE_CTX *ctx) { int i; @@ -655,7 +677,12 @@ static int check_name_constraints(X509_STORE_CTX *ctx) int rv = NAME_CONSTRAINTS_check(x, nc); /* If EE certificate check commonName too */ - if (rv == X509_V_OK && i == 0) + if (rv == X509_V_OK && i == 0 + && (ctx->param->hostflags + & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT) == 0 + && ((ctx->param->hostflags + & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT) != 0 + || !has_san_id(x, GEN_DNS))) rv = NAME_CONSTRAINTS_check_CN(x, nc); switch (rv) { @@ -1756,119 +1783,67 @@ int X509_cmp_current_time(const ASN1_TIME *ctm) int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) { - char *str; - ASN1_TIME atm; - long offset; - char buff1[24], buff2[24], *p; - int i, j, remaining; + static const size_t utctime_length = sizeof("YYMMDDHHMMSSZ") - 1; + static const size_t generalizedtime_length = sizeof("YYYYMMDDHHMMSSZ") - 1; + ASN1_TIME *asn1_cmp_time = NULL; + int i, day, sec, ret = 0; - p = buff1; - remaining = ctm->length; - str = (char *)ctm->data; /* - * Note that the following (historical) code allows much more slack in the - * time format than RFC5280. In RFC5280, the representation is fixed: + * Note that ASN.1 allows much more slack in the time format than RFC5280. + * In RFC5280, the representation is fixed: * UTCTime: YYMMDDHHMMSSZ * GeneralizedTime: YYYYMMDDHHMMSSZ + * + * We do NOT currently enforce the following RFC 5280 requirement: + * "CAs conforming to this profile MUST always encode certificate + * validity dates through the year 2049 as UTCTime; certificate validity + * dates in 2050 or later MUST be encoded as GeneralizedTime." */ - if (ctm->type == V_ASN1_UTCTIME) { - /* YYMMDDHHMM[SS]Z or YYMMDDHHMM[SS](+-)hhmm */ - int min_length = sizeof("YYMMDDHHMMZ") - 1; - int max_length = sizeof("YYMMDDHHMMSS+hhmm") - 1; - if (remaining < min_length || remaining > max_length) + switch (ctm->type) { + case V_ASN1_UTCTIME: + if (ctm->length != (int)(utctime_length)) return 0; - memcpy(p, str, 10); - p += 10; - str += 10; - remaining -= 10; - } else { - /* YYYYMMDDHHMM[SS[.fff]]Z or YYYYMMDDHHMM[SS[.f[f[f]]]](+-)hhmm */ - int min_length = sizeof("YYYYMMDDHHMMZ") - 1; - int max_length = sizeof("YYYYMMDDHHMMSS.fff+hhmm") - 1; - if (remaining < min_length || remaining > max_length) + break; + case V_ASN1_GENERALIZEDTIME: + if (ctm->length != (int)(generalizedtime_length)) return 0; - memcpy(p, str, 12); - p += 12; - str += 12; - remaining -= 12; + break; + default: + return 0; } - if ((*str == 'Z') || (*str == '-') || (*str == '+')) { - *(p++) = '0'; - *(p++) = '0'; - } else { - /* SS (seconds) */ - if (remaining < 2) + /** + * Verify the format: the ASN.1 functions we use below allow a more + * flexible format than what's mandated by RFC 5280. + * Digit and date ranges will be verified in the conversion methods. + */ + for (i = 0; i < ctm->length - 1; i++) { + if (!isdigit(ctm->data[i])) return 0; - *(p++) = *(str++); - *(p++) = *(str++); - remaining -= 2; - /* - * Skip any (up to three) fractional seconds... - * TODO(emilia): in RFC5280, fractional seconds are forbidden. - * Can we just kill them altogether? - */ - if (remaining && *str == '.') { - str++; - remaining--; - for (i = 0; i < 3 && remaining; i++, str++, remaining--) { - if (*str < '0' || *str > '9') - break; - } - } - } - *(p++) = 'Z'; - *(p++) = '\0'; - - /* We now need either a terminating 'Z' or an offset. */ - if (!remaining) + if (ctm->data[ctm->length - 1] != 'Z') return 0; - if (*str == 'Z') { - if (remaining != 1) - return 0; - offset = 0; - } else { - /* (+-)HHMM */ - if ((*str != '+') && (*str != '-')) - return 0; - /* Historical behaviour: the (+-)hhmm offset is forbidden in RFC5280. */ - if (remaining != 5) - return 0; - if (str[1] < '0' || str[1] > '9' || str[2] < '0' || str[2] > '9' || - str[3] < '0' || str[3] > '9' || str[4] < '0' || str[4] > '9') - return 0; - offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60; - offset += (str[3] - '0') * 10 + (str[4] - '0'); - if (*str == '-') - offset = -offset; - } - atm.type = ctm->type; - atm.flags = 0; - atm.length = sizeof(buff2); - atm.data = (unsigned char *)buff2; - if (X509_time_adj(&atm, offset * 60, cmp_time) == NULL) - return 0; + /* + * There is ASN1_UTCTIME_cmp_time_t but no + * ASN1_GENERALIZEDTIME_cmp_time_t or ASN1_TIME_cmp_time_t, + * so we go through ASN.1 + */ + asn1_cmp_time = X509_time_adj(NULL, 0, cmp_time); + if (asn1_cmp_time == NULL) + goto err; + if (!ASN1_TIME_diff(&day, &sec, ctm, asn1_cmp_time)) + goto err; - if (ctm->type == V_ASN1_UTCTIME) { - i = (buff1[0] - '0') * 10 + (buff1[1] - '0'); - if (i < 50) - i += 100; /* cf. RFC 2459 */ - j = (buff2[0] - '0') * 10 + (buff2[1] - '0'); - if (j < 50) - j += 100; - - if (i < j) - return -1; - if (i > j) - return 1; - } - i = strcmp(buff1, buff2); - if (i == 0) /* wait a second then return younger :-) */ - return -1; - else - return i; + /* + * X509_cmp_time comparison is <=. + * The return value 0 is reserved for errors. + */ + ret = (day >= 0 && sec >= 0) ? -1 : 1; + + err: + ASN1_TIME_free(asn1_cmp_time); + return ret; } ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) @@ -3264,6 +3239,10 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert) if (level > NUM_AUTH_LEVELS) level = NUM_AUTH_LEVELS; + /* We are not able to look up the CA MD for RSA PSS in this version */ + if (nid == NID_rsassaPss) + return 1; + /* Lookup signature algorithm digest */ if (nid && OBJ_find_sigid_algs(nid, &mdnid, NULL)) { const EVP_MD *md; diff --git a/deps/openssl/openssl/crypto/x509/x509_vpm.c b/deps/openssl/openssl/crypto/x509/x509_vpm.c index b5067220ad..9bc4c61101 100644 --- a/deps/openssl/openssl/crypto/x509/x509_vpm.c +++ b/deps/openssl/openssl/crypto/x509/x509_vpm.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -412,6 +412,11 @@ void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, param->hostflags = flags; } +unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param) +{ + return param->hostflags; +} + char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param) { return param->peername; diff --git a/deps/openssl/openssl/crypto/x509/x509name.c b/deps/openssl/openssl/crypto/x509/x509name.c index f87dc7db99..81dce376f8 100644 --- a/deps/openssl/openssl/crypto/x509/x509name.c +++ b/deps/openssl/openssl/crypto/x509/x509name.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -191,7 +191,7 @@ int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne, int loc, loc = n; else if (loc < 0) loc = n; - + inc = (set == 0); name->modified = 1; if (set == -1) { @@ -200,7 +200,6 @@ int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne, int loc, inc = 1; } else { set = sk_X509_NAME_ENTRY_value(sk, loc - 1)->set; - inc = 0; } } else { /* if (set >= 0) */ @@ -211,12 +210,11 @@ int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne, int loc, set = 0; } else set = sk_X509_NAME_ENTRY_value(sk, loc)->set; - inc = (set == 0) ? 1 : 0; } /* * X509_NAME_ENTRY_dup is ASN1 generated code, that can't be easily - * const'ified; harmless cast as dup() don't modify its input. + * const'ified; harmless cast since dup() don't modify its input. */ if ((new_name = X509_NAME_ENTRY_dup((X509_NAME_ENTRY *)ne)) == NULL) goto err; @@ -228,7 +226,7 @@ int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne, int loc, if (inc) { n = sk_X509_NAME_ENTRY_num(sk); for (i = loc + 1; i < n; i++) - sk_X509_NAME_ENTRY_value(sk, i - 1)->set += 1; + sk_X509_NAME_ENTRY_value(sk, i)->set += 1; } return (1); err: diff --git a/deps/openssl/openssl/crypto/x509/x_name.c b/deps/openssl/openssl/crypto/x509/x_name.c index 0af5df5cfc..1a33dc1daa 100644 --- a/deps/openssl/openssl/crypto/x509/x_name.c +++ b/deps/openssl/openssl/crypto/x509/x_name.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -472,6 +472,8 @@ static int i2d_name_canon(STACK_OF(STACK_OF_X509_NAME_ENTRY) * _intname, int X509_NAME_set(X509_NAME **xn, X509_NAME *name) { + if (*xn == name) + return *xn != NULL; if ((name = X509_NAME_dup(name)) == NULL) return 0; X509_NAME_free(*xn); diff --git a/deps/openssl/openssl/crypto/x509v3/v3_enum.c b/deps/openssl/openssl/crypto/x509v3/v3_enum.c index 3b0f197444..f39cb5ac2a 100644 --- a/deps/openssl/openssl/crypto/x509v3/v3_enum.c +++ b/deps/openssl/openssl/crypto/x509v3/v3_enum.c @@ -38,7 +38,7 @@ const X509V3_EXT_METHOD v3_crl_reason = { crl_reasons }; -char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method, +char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method, const ASN1_ENUMERATED *e) { ENUMERATED_NAMES *enam; diff --git a/deps/openssl/openssl/crypto/x509v3/v3_ncons.c b/deps/openssl/openssl/crypto/x509v3/v3_ncons.c index 2eec405a36..bd7301e455 100644 --- a/deps/openssl/openssl/crypto/x509v3/v3_ncons.c +++ b/deps/openssl/openssl/crypto/x509v3/v3_ncons.c @@ -1,5 +1,5 @@ /* - * Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2003-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -297,47 +297,140 @@ int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc) } +static int cn2dnsid(ASN1_STRING *cn, unsigned char **dnsid, size_t *idlen) +{ + int utf8_length; + unsigned char *utf8_value; + int i; + int isdnsname = 0; + + /* Don't leave outputs uninitialized */ + *dnsid = NULL; + *idlen = 0; + + /*- + * Per RFC 6125, DNS-IDs representing internationalized domain names appear + * in certificates in A-label encoded form: + * + * https://tools.ietf.org/html/rfc6125#section-6.4.2 + * + * The same applies to CNs which are intended to represent DNS names. + * However, while in the SAN DNS-IDs are IA5Strings, as CNs they may be + * needlessly encoded in 16-bit Unicode. We perform a conversion to UTF-8 + * to ensure that we get an ASCII representation of any CNs that are + * representable as ASCII, but just not encoded as ASCII. The UTF-8 form + * may contain some non-ASCII octets, and that's fine, such CNs are not + * valid legacy DNS names. + * + * Note, 'int' is the return type of ASN1_STRING_to_UTF8() so that's what + * we must use for 'utf8_length'. + */ + if ((utf8_length = ASN1_STRING_to_UTF8(&utf8_value, cn)) < 0) + return X509_V_ERR_OUT_OF_MEM; + + /* + * Some certificates have had names that include a *trailing* NUL byte. + * Remove these harmless NUL characters. They would otherwise yield false + * alarms with the following embedded NUL check. + */ + while (utf8_length > 0 && utf8_value[utf8_length - 1] == '\0') + --utf8_length; + + /* Reject *embedded* NULs */ + if ((size_t)utf8_length != strlen((char *)utf8_value)) { + OPENSSL_free(utf8_value); + return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; + } + + /* + * XXX: Deviation from strict DNS name syntax, also check names with '_' + * Check DNS name syntax, any '-' or '.' must be internal, + * and on either side of each '.' we can't have a '-' or '.'. + * + * If the name has just one label, we don't consider it a DNS name. This + * means that "CN=sometld" cannot be precluded by DNS name constraints, but + * that is not a problem. + */ + for (i = 0; i < utf8_length; ++i) { + unsigned char c = utf8_value[i]; + + if ((c >= 'a' && c <= 'z') + || (c >= 'A' && c <= 'Z') + || (c >= '0' && c <= '9') + || c == '_') + continue; + + /* Dot and hyphen cannot be first or last. */ + if (i > 0 && i < utf8_length - 1) { + if (c == '-') + continue; + /* + * Next to a dot the preceding and following characters must not be + * another dot or a hyphen. Otherwise, record that the name is + * plausible, since it has two or more labels. + */ + if (c == '.' + && utf8_value[i + 1] != '.' + && utf8_value[i - 1] != '-' + && utf8_value[i + 1] != '-') { + isdnsname = 1; + continue; + } + } + isdnsname = 0; + break; + } + + if (isdnsname) { + *dnsid = utf8_value; + *idlen = (size_t)utf8_length; + return X509_V_OK; + } + OPENSSL_free(utf8_value); + return X509_V_OK; +} + +/* + * Check CN against DNS-ID name constraints. + */ int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc) { int r, i; - X509_NAME *nm; - + X509_NAME *nm = X509_get_subject_name(x); ASN1_STRING stmp; GENERAL_NAME gntmp; + stmp.flags = 0; stmp.type = V_ASN1_IA5STRING; gntmp.type = GEN_DNS; gntmp.d.dNSName = &stmp; - nm = X509_get_subject_name(x); - /* Process any commonName attributes in subject name */ for (i = -1;;) { X509_NAME_ENTRY *ne; - ASN1_STRING *hn; + ASN1_STRING *cn; + unsigned char *idval; + size_t idlen; + i = X509_NAME_get_index_by_NID(nm, NID_commonName, i); if (i == -1) break; ne = X509_NAME_get_entry(nm, i); - hn = X509_NAME_ENTRY_get_data(ne); - /* Only process attributes that look like host names */ - if (asn1_valid_host(hn)) { - unsigned char *h; - int hlen = ASN1_STRING_to_UTF8(&h, hn); - if (hlen <= 0) - return X509_V_ERR_OUT_OF_MEM; + cn = X509_NAME_ENTRY_get_data(ne); - stmp.length = hlen; - stmp.data = h; - - r = nc_match(&gntmp, nc); - - OPENSSL_free(h); + /* Only process attributes that look like host names */ + if ((r = cn2dnsid(cn, &idval, &idlen)) != X509_V_OK) + return r; + if (idlen == 0) + continue; - if (r != X509_V_OK) - return r; - } + stmp.length = idlen; + stmp.data = idval; + r = nc_match(&gntmp, nc); + OPENSSL_free(idval); + if (r != X509_V_OK) + return r; } return X509_V_OK; } diff --git a/deps/openssl/openssl/crypto/x509v3/v3_purp.c b/deps/openssl/openssl/crypto/x509v3/v3_purp.c index 6d2f354d70..7ac067229f 100644 --- a/deps/openssl/openssl/crypto/x509v3/v3_purp.c +++ b/deps/openssl/openssl/crypto/x509v3/v3_purp.c @@ -78,11 +78,9 @@ int X509_check_purpose(X509 *x, int id, int ca) { int idx; const X509_PURPOSE *pt; - if (!(x->ex_flags & EXFLAG_SET)) { - CRYPTO_THREAD_write_lock(x->lock); - x509v3_cache_extensions(x); - CRYPTO_THREAD_unlock(x->lock); - } + + x509v3_cache_extensions(x); + /* Return if side-effect only call */ if (id == -1) return 1; @@ -352,10 +350,18 @@ static void x509v3_cache_extensions(X509 *x) ASN1_BIT_STRING *ns; EXTENDED_KEY_USAGE *extusage; X509_EXTENSION *ex; - int i; - if (x->ex_flags & EXFLAG_SET) + + /* fast lock-free check, see end of the function for details. */ + if (x->ex_cached) + return; + + CRYPTO_THREAD_write_lock(x->lock); + if (x->ex_flags & EXFLAG_SET) { + CRYPTO_THREAD_unlock(x->lock); return; + } + X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); /* V1 should mean no extensions ... */ if (!X509_get_version(x)) @@ -489,6 +495,13 @@ static void x509v3_cache_extensions(X509 *x) } } x->ex_flags |= EXFLAG_SET; + CRYPTO_THREAD_unlock(x->lock); + /* + * It has to be placed after memory barrier, which is implied by unlock. + * Worst thing that can happen is that another thread proceeds to lock + * and checks x->ex_flags & EXFLAGS_SET. See beginning of the function. + */ + x->ex_cached = 1; } /*- @@ -541,11 +554,7 @@ void X509_set_proxy_pathlen(X509 *x, long l) int X509_check_ca(X509 *x) { - if (!(x->ex_flags & EXFLAG_SET)) { - CRYPTO_THREAD_write_lock(x->lock); - x509v3_cache_extensions(x); - CRYPTO_THREAD_unlock(x->lock); - } + x509v3_cache_extensions(x); return check_ca(x); } @@ -759,6 +768,7 @@ int X509_check_issued(X509 *issuer, X509 *subject) if (X509_NAME_cmp(X509_get_subject_name(issuer), X509_get_issuer_name(subject))) return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; + x509v3_cache_extensions(issuer); x509v3_cache_extensions(subject); diff --git a/deps/openssl/openssl/crypto/x509v3/v3_skey.c b/deps/openssl/openssl/crypto/x509v3/v3_skey.c index 749f51b2f0..39597dc41d 100644 --- a/deps/openssl/openssl/crypto/x509v3/v3_skey.c +++ b/deps/openssl/openssl/crypto/x509v3/v3_skey.c @@ -24,7 +24,7 @@ const X509V3_EXT_METHOD v3_skey_id = { NULL }; -char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, +char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, const ASN1_OCTET_STRING *oct) { return OPENSSL_buf2hexstr(oct->data, oct->length); diff --git a/deps/openssl/openssl/crypto/x509v3/v3_tlsf.c b/deps/openssl/openssl/crypto/x509v3/v3_tlsf.c index fec67243f8..d93781e1b7 100644 --- a/deps/openssl/openssl/crypto/x509v3/v3_tlsf.c +++ b/deps/openssl/openssl/crypto/x509v3/v3_tlsf.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -121,13 +121,12 @@ static TLS_FEATURE *v2i_TLS_FEATURE(const X509V3_EXT_METHOD *method, } } - ai = ASN1_INTEGER_new(); - if (ai == NULL) { + if ((ai = ASN1_INTEGER_new()) == NULL + || !ASN1_INTEGER_set(ai, tlsextid) + || sk_ASN1_INTEGER_push(tlsf, ai) <= 0) { X509V3err(X509V3_F_V2I_TLS_FEATURE, ERR_R_MALLOC_FAILURE); goto err; } - ASN1_INTEGER_set(ai, tlsextid); - sk_ASN1_INTEGER_push(tlsf, ai); } return tlsf; diff --git a/deps/openssl/openssl/demos/bio/descrip.mms b/deps/openssl/openssl/demos/bio/descrip.mms index d49725ffd1..8e127b079a 100644 --- a/deps/openssl/openssl/demos/bio/descrip.mms +++ b/deps/openssl/openssl/demos/bio/descrip.mms @@ -23,7 +23,7 @@ SHARED = TRUE @ ! # Because we use an option file, we need to redefine this -.obj.exe : +.obj.exe : $(LINK) $(LINKFLAGS) $<,OPT:/OPT all : client-arg.exe client-conf.exe saccept.exe sconnect.exe - diff --git a/deps/openssl/openssl/demos/certs/README b/deps/openssl/openssl/demos/certs/README index 88cf56b1f8..126663a1d8 100644 --- a/deps/openssl/openssl/demos/certs/README +++ b/deps/openssl/openssl/demos/certs/README @@ -8,7 +8,7 @@ automatically using scripts. Example creates a root CA, an intermediate CA signed by the root and several certificates signed by the intermediate CA. The script then creates an empty index.txt file and adds entries for the -certificates and generates a CRL. Then one certificate is revoked and a +certificates and generates a CRL. Then one certificate is revoked and a second CRL generated. The script ocsprun.sh runs the test responder on port 8888 covering the @@ -16,3 +16,6 @@ client certificates. The script ocspquery.sh queries the status of the certificates using the test responder. + + + diff --git a/deps/openssl/openssl/demos/certs/apps/apps.cnf b/deps/openssl/openssl/demos/certs/apps/apps.cnf index f02d43bad0..531afe64b2 100644 --- a/deps/openssl/openssl/demos/certs/apps/apps.cnf +++ b/deps/openssl/openssl/demos/certs/apps/apps.cnf @@ -65,3 +65,5 @@ subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always basicConstraints = critical,CA:true keyUsage = critical, cRLSign, keyCertSign + + diff --git a/deps/openssl/openssl/demos/certs/apps/mkxcerts.sh b/deps/openssl/openssl/demos/certs/apps/mkxcerts.sh index ebe1920432..0f88a48fb8 100644 --- a/deps/openssl/openssl/demos/certs/apps/mkxcerts.sh +++ b/deps/openssl/openssl/demos/certs/apps/mkxcerts.sh @@ -13,7 +13,7 @@ CN="OpenSSL Test RSA SHA-512 cert" $OPENSSL req \ -config apps.cnf -extensions usr_cert -x509 -nodes \ -keyout tsha512.pem -out tsha512.pem -new -days 3650 -sha512 -# Create EC parameters +# Create EC parameters $OPENSSL ecparam -name P-256 -out ecp256.pem $OPENSSL ecparam -name P-384 -out ecp384.pem diff --git a/deps/openssl/openssl/demos/certs/mkcerts.sh b/deps/openssl/openssl/demos/certs/mkcerts.sh index 498595d28c..18daa6bcfb 100644 --- a/deps/openssl/openssl/demos/certs/mkcerts.sh +++ b/deps/openssl/openssl/demos/certs/mkcerts.sh @@ -42,7 +42,7 @@ CN="Test OCSP Responder Cert" $OPENSSL req -config ca.cnf -nodes \ $OPENSSL x509 -req -in respreq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ -extfile ca.cnf -extensions ocsp_cert -CAcreateserial -out resp.pem -# Example creating a PKCS#3 DH certificate. +# Example creating a PKCS#3 DH certificate. # First DH parameters @@ -93,3 +93,4 @@ openssl ca -revoke rev.pem -crl_reason superseded \ # Generate another CRL $OPENSSL ca -gencrl -keyfile root.pem -cert root.pem -config ca.cnf \ -md sha1 -crldays 1 -out crl2.pem + diff --git a/deps/openssl/openssl/demos/evp/Makefile b/deps/openssl/openssl/demos/evp/Makefile index 4a753e9247..72c6e81d7a 100644 --- a/deps/openssl/openssl/demos/evp/Makefile +++ b/deps/openssl/openssl/demos/evp/Makefile @@ -11,7 +11,7 @@ CFLAGS = $(OPENSSL_INCS_LOCATION) LDFLAGS = $(OPENSSL_LIBS_LOCATION) -lssl -lcrypto -all: aesccm aesgcm +all: aesccm aesgcm aesccm: aesccm.o aesgcm: aesgcm.o diff --git a/deps/openssl/openssl/demos/evp/aesgcm.c b/deps/openssl/openssl/demos/evp/aesgcm.c index 46d9a5639b..df59f469fd 100644 --- a/deps/openssl/openssl/demos/evp/aesgcm.c +++ b/deps/openssl/openssl/demos/evp/aesgcm.c @@ -102,7 +102,7 @@ void aes_gcm_decrypt(void) printf("Plaintext:\n"); BIO_dump_fp(stdout, outbuf, outlen); /* Set expected tag value. */ - EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, sizeof(gcm_tag), + EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, sizeof(gcm_tag), (void *)gcm_tag); /* Finalise: note get no output for GCM */ rv = EVP_DecryptFinal_ex(ctx, outbuf, &outlen); diff --git a/deps/openssl/openssl/doc/apps/cms.pod b/deps/openssl/openssl/doc/apps/cms.pod index 96acd315d4..64ec106b09 100644 --- a/deps/openssl/openssl/doc/apps/cms.pod +++ b/deps/openssl/openssl/doc/apps/cms.pod @@ -393,6 +393,9 @@ When encrypting a message this option may be used multiple times to specify each recipient. This form B<must> be used if customised parameters are required (for example to specify RSA-OAEP). +Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this +option. + =item B<-keyid> use subject key identifier to identify certificates instead of issuer name and @@ -712,23 +715,20 @@ No revocation checking is done on the signer's certificate. =head1 HISTORY The use of multiple B<-signer> options and the B<-resign> command were first -added in OpenSSL 1.0.0 - -The B<keyopt> option was first added in OpenSSL 1.1.0 +added in OpenSSL 1.0.0. -The use of B<-recip> to specify the recipient when encrypting mail was first -added to OpenSSL 1.1.0 +The B<keyopt> option was first added in OpenSSL 1.0.2 -Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0. +Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.0.2. The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added -to OpenSSL 1.1.0. +to OpenSSL 1.0.2. -The -no_alt_chains options was first added to OpenSSL 1.1.0. +The -no_alt_chains options was first added to OpenSSL 1.0.2b. =head1 COPYRIGHT -Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/apps/config.pod b/deps/openssl/openssl/doc/apps/config.pod index 76f282f28c..a5153a65f1 100644 --- a/deps/openssl/openssl/doc/apps/config.pod +++ b/deps/openssl/openssl/doc/apps/config.pod @@ -20,7 +20,7 @@ started or end of file is reached. A section name can consist of alphanumeric characters and underscores. The first section of a configuration file is special and is referred -to as the B<default> section this is usually unnamed and is from the +to as the B<default> section. This section is usually unnamed and spans from the start of file until the first named section. When a name is being looked up it is first looked up in a named section (if any) and then the default section. @@ -377,7 +377,7 @@ L<x509(1)>, L<req(1)>, L<ca(1)> =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/apps/genpkey.pod b/deps/openssl/openssl/doc/apps/genpkey.pod index d48695200b..91b12e249b 100644 --- a/deps/openssl/openssl/doc/apps/genpkey.pod +++ b/deps/openssl/openssl/doc/apps/genpkey.pod @@ -12,7 +12,7 @@ B<openssl> B<genpkey> [B<-out filename>] [B<-outform PEM|DER>] [B<-pass arg>] -[B<-cipher>] +[B<-I<cipher>>] [B<-engine id>] [B<-paramfile file>] [B<-algorithm alg>] @@ -39,21 +39,21 @@ standard output is used. =item B<-outform DER|PEM> -This specifies the output format DER or PEM. +This specifies the output format DER or PEM. The default format is PEM. =item B<-pass arg> -the output file password source. For more information about the format of B<arg> +The output file password source. For more information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>. -=item B<-cipher> +=item B<-I<cipher>> This option encrypts the private key with the supplied cipher. Any algorithm name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>. =item B<-engine id> -specifying an engine (by its unique B<id> string) will cause B<genpkey> +Specifying an engine (by its unique B<id> string) will cause B<genpkey> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. If used this option should precede all other @@ -61,19 +61,32 @@ options. =item B<-algorithm alg> -public key algorithm to use such as RSA, DSA or DH. If used this option must +Public key algorithm to use such as RSA, DSA or DH. If used this option must precede any B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm> -are mutually exclusive. +are mutually exclusive. Engines may add algorithms in addition to the standard +built-in ones. + +Valid built-in algorithm names for private key generation are RSA and EC. + +Valid built-in algorithm names for parameter generation (see the B<-genparam> +option) are DH, DSA and EC. + +Note that the algorithm name X9.42 DH may be used as a synonym for the DH +algorithm. These are identical and do not indicate the type of parameters that +will be generated. Use the B<dh_paramgen_type> option to indicate whether PKCS#3 +or X9.42 DH parameters are required. See L<DH Parameter Generation Options> +below for more details. =item B<-pkeyopt opt:value> -set the public key algorithm option B<opt> to B<value>. The precise set of +Set the public key algorithm option B<opt> to B<value>. The precise set of options supported depends on the public key algorithm used and its -implementation. See B<KEY GENERATION OPTIONS> below for more details. +implementation. See L<KEY GENERATION OPTIONS> and +L<PARAMETER GENERATION OPTIONS> below for more details. =item B<-genparam> -generate a set of parameters instead of a private key. If used this option must +Generate a set of parameters instead of a private key. If used this option must precede any B<-algorithm>, B<-paramfile> or B<-pkeyopt> options. =item B<-paramfile filename> @@ -97,7 +110,7 @@ The options supported by each algorithm and indeed each implementation of an algorithm can vary. The options for the OpenSSL implementations are detailed below. -=head1 RSA KEY GENERATION OPTIONS +=head2 RSA Key Generation Options =over 4 @@ -112,91 +125,92 @@ hexadecimal value if preceded by B<0x>. Default value is 65537. =back -=head1 DSA PARAMETER GENERATION OPTIONS +=head2 EC Key Generation Options + +The EC key generation options can also be used for parameter generation. =over 4 -=item B<dsa_paramgen_bits:numbits> +=item B<ec_paramgen_curve:curve> + +The EC curve to use. OpenSSL supports NIST curve names such as "P-256". -The number of bits in the generated parameters. If not specified 1024 is used. +=item B<ec_param_enc:encoding> + +The encoding to use for parameters. The "encoding" parameter must be either +"named_curve" or "explicit". The default value is "named_curve". =back -=head1 DH PARAMETER GENERATION OPTIONS +=head1 PARAMETER GENERATION OPTIONS + +The options supported by each algorithm and indeed each implementation of an +algorithm can vary. The options for the OpenSSL implementations are detailed +below. + +=head2 DSA Parameter Generation Options =over 4 -=item B<dh_paramgen_prime_len:numbits> +=item B<dsa_paramgen_bits:numbits> -The number of bits in the prime parameter B<p>. +The number of bits in the generated prime. If not specified 1024 is used. -=item B<dh_paramgen_generator:value> +=item B<dsa_paramgen_q_bits:numbits> -The value to use for the generator B<g>. +The number of bits in the q parameter. Must be one of 160, 224 or 256. If not +specified 160 is used. -=item B<dh_rfc5114:num> +=item B<dsa_paramgen_md:digest> -If this option is set then the appropriate RFC5114 parameters are used -instead of generating new parameters. The value B<num> can take the -values 1, 2 or 3 corresponding to RFC5114 DH parameters consisting of -1024 bit group with 160 bit subgroup, 2048 bit group with 224 bit subgroup -and 2048 bit group with 256 bit subgroup as mentioned in RFC5114 sections -2.1, 2.2 and 2.3 respectively. +The digest to use during parameter generation. Must be one of B<sha1>, B<sha224> +or B<sha256>. If set, then the number of bits in B<q> will match the output size +of the specified digest and the B<dsa_paramgen_q_bits> parameter will be +ignored. If not set, then a digest will be used that gives an output matching +the number of bits in B<q>, i.e. B<sha1> if q length is 160, B<sha224> if it 224 +or B<sha256> if it is 256. =back -=head1 EC PARAMETER GENERATION OPTIONS - -The EC parameter generation options below can also -be supplied as EC key generation options. This can (for example) generate a -key from a named curve without the need to use an explicit parameter file. +=head2 DH Parameter Generation Options =over 4 -=item B<ec_paramgen_curve:curve> - -the EC curve to use. OpenSSL supports NIST curve names such as "P-256". +=item B<dh_paramgen_prime_len:numbits> -=item B<ec_param_enc:encoding> +The number of bits in the prime parameter B<p>. The default is 1024. -the encoding to use for parameters. The "encoding" parameter must be either -"named_curve" or "explicit". +=item B<dh_paramgen_subprime_len:numbits> -=back +The number of bits in the sub prime parameter B<q>. The default is 256 if the +prime is at least 2048 bits long or 160 otherwise. Only relevant if used in +conjunction with the B<dh_paramgen_type> option to generate X9.42 DH parameters. -=head1 GOST2001 KEY GENERATION AND PARAMETER OPTIONS - -Gost 2001 support is not enabled by default. To enable this algorithm, -one should load the ccgost engine in the OpenSSL configuration file. -See README.gost file in the engines/ccgost directory of the source -distribution for more details. +=item B<dh_paramgen_generator:value> -Use of a parameter file for the GOST R 34.10 algorithm is optional. -Parameters can be specified during key generation directly as well as -during generation of parameter file. +The value to use for the generator B<g>. The default is 2. -=over 4 +=item B<dh_paramgen_type:value> -=item B<paramset:name> +The type of DH parameters to generate. Use 0 for PKCS#3 DH and 1 for X9.42 DH. +The default is 0. -Specifies GOST R 34.10-2001 parameter set according to RFC 4357. -Parameter set can be specified using abbreviated name, object short name or -numeric OID. Following parameter sets are supported: +=item B<dh_rfc5114:num> - paramset OID Usage - A 1.2.643.2.2.35.1 Signature - B 1.2.643.2.2.35.2 Signature - C 1.2.643.2.2.35.3 Signature - XA 1.2.643.2.2.36.0 Key exchange - XB 1.2.643.2.2.36.1 Key exchange - test 1.2.643.2.2.35.0 Test purposes +If this option is set, then the appropriate RFC5114 parameters are used +instead of generating new parameters. The value B<num> can take the +values 1, 2 or 3 corresponding to RFC5114 DH parameters consisting of +1024 bit group with 160 bit subgroup, 2048 bit group with 224 bit subgroup +and 2048 bit group with 256 bit subgroup as mentioned in RFC5114 sections +2.1, 2.2 and 2.3 respectively. If present this overrides all other DH parameter +options. =back -=head1 X25519 KEY GENERATION OPTIONS - -The X25519 algorithm does not currently support any key generation options. +=head2 EC Parameter Generation Options +The EC parameter generation options are the same as for key generation. See +L<EC Key Generation Options> above. =head1 NOTES @@ -219,19 +233,25 @@ Generate a 2048 bit RSA key using 3 as the public exponent: openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \ -pkeyopt rsa_keygen_pubexp:3 -Generate 1024 bit DSA parameters: +Generate 2048 bit DSA parameters: openssl genpkey -genparam -algorithm DSA -out dsap.pem \ - -pkeyopt dsa_paramgen_bits:1024 + -pkeyopt dsa_paramgen_bits:2048 Generate DSA key from parameters: openssl genpkey -paramfile dsap.pem -out dsakey.pem -Generate 1024 bit DH parameters: +Generate 2048 bit DH parameters: openssl genpkey -genparam -algorithm DH -out dhp.pem \ - -pkeyopt dh_paramgen_prime_len:1024 + -pkeyopt dh_paramgen_prime_len:2048 + +Generate 2048 bit X9.42 DH parameters: + + openssl genpkey -genparam -algorithm DH -out dhpx.pem \ + -pkeyopt dh_paramgen_prime_len:2048 \ + -pkeyopt dh_paramgen_type:1 Output RFC5114 2048 bit DH parameters with 224 bit subgroup: @@ -264,11 +284,12 @@ Generate an X25519 private key: =head1 HISTORY The ability to use NIST curve names, and to generate an EC key directly, -were added in OpenSSL 1.0.2. +were added in OpenSSL 1.0.2. The ability to generate X25519 keys was added in +OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/apps/rehash.pod b/deps/openssl/openssl/doc/apps/rehash.pod index 79268d4792..22f3b7a40a 100644 --- a/deps/openssl/openssl/doc/apps/rehash.pod +++ b/deps/openssl/openssl/doc/apps/rehash.pod @@ -99,6 +99,12 @@ Note that current versions will not use the old style. Do not remove existing links. This is needed when keeping new and old-style links in the same directory. +=item B<-compat> + +Generate links for both old-style (MD5) and new-style (SHA1) hashing. +This allows releases before 1.0.0 to use these links along-side newer +releases. + =item B<-v> Print messages about old links removed and new links created. @@ -130,7 +136,7 @@ L<x509(1)>. =head1 COPYRIGHT -Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/apps/s_client.pod b/deps/openssl/openssl/doc/apps/s_client.pod index 01a6c5f7fc..9c17075337 100644 --- a/deps/openssl/openssl/doc/apps/s_client.pod +++ b/deps/openssl/openssl/doc/apps/s_client.pod @@ -281,8 +281,9 @@ be used as a test that session caching is working. =item B<-showcerts> -display the whole server certificate chain: normally only the server -certificate itself is displayed. +Displays the server certificate list as sent by the server: it only consists of +certificates the server has sent (in the order the server has sent them). It is +B<not> a verified chain. =item B<-prexit> @@ -579,7 +580,8 @@ a client certificate. Therefor merely including a client certificate on the command line is no guarantee that the certificate works. If there are problems verifying a server certificate then the -B<-showcerts> option can be used to show the whole chain. +B<-showcerts> option can be used to show all the certificates sent by the +server. The B<s_client> utility is a test tool and is designed to continue the handshake after any certificate verification errors. As a result it will @@ -609,7 +611,7 @@ The -no_alt_chains options was first added to OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/ASN1_INTEGER_get_int64.pod b/deps/openssl/openssl/doc/crypto/ASN1_INTEGER_get_int64.pod index f61268d6ac..d0a6a3c810 100644 --- a/deps/openssl/openssl/doc/crypto/ASN1_INTEGER_get_int64.pod +++ b/deps/openssl/openssl/doc/crypto/ASN1_INTEGER_get_int64.pod @@ -11,10 +11,10 @@ ASN1_INTEGER_get_int64, ASN1_INTEGER_get, ASN1_INTEGER_set_int64, ASN1_INTEGER_s #include <openssl/asn1.h> int ASN1_INTEGER_get_int64(int64_t *pr, const ASN1_INTEGER *a); - int ASN1_INTEGER_get(const ASN1_INTEGER *a, long v); + long ASN1_INTEGER_get(const ASN1_INTEGER *a); int ASN1_INTEGER_set_int64(ASN1_INTEGER *a, int64_t r); - long ASN1_INTEGER_set(const ASN1_INTEGER *a); + int ASN1_INTEGER_set(const ASN1_INTEGER *a, long v); int ASN1_INTEGER_get_uint64(uint64_t *pr, const ASN1_INTEGER *a); int ASN1_INTEGER_set_uint64(ASN1_INTEGER *a, uint64_t r); @@ -123,7 +123,7 @@ were added to OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/BIO_meth_new.pod b/deps/openssl/openssl/doc/crypto/BIO_meth_new.pod index f682c37d17..89179a46e7 100644 --- a/deps/openssl/openssl/doc/crypto/BIO_meth_new.pod +++ b/deps/openssl/openssl/doc/crypto/BIO_meth_new.pod @@ -17,26 +17,26 @@ BIO_meth_set_callback_ctrl - Routines to build up BIO methods int BIO_get_new_index(void); BIO_METHOD *BIO_meth_new(int type, const char *name); void BIO_meth_free(BIO_METHOD *biom); - int (*BIO_meth_get_write(BIO_METHOD *biom)) (BIO *, const char *, int); + int (*BIO_meth_get_write(const BIO_METHOD *biom)) (BIO *, const char *, int); int BIO_meth_set_write(BIO_METHOD *biom, int (*write) (BIO *, const char *, int)); - int (*BIO_meth_get_read(BIO_METHOD *biom)) (BIO *, char *, int); + int (*BIO_meth_get_read(const BIO_METHOD *biom)) (BIO *, char *, int); int BIO_meth_set_read(BIO_METHOD *biom, int (*read) (BIO *, char *, int)); - int (*BIO_meth_get_puts(BIO_METHOD *biom)) (BIO *, const char *); + int (*BIO_meth_get_puts(const BIO_METHOD *biom)) (BIO *, const char *); int BIO_meth_set_puts(BIO_METHOD *biom, int (*puts) (BIO *, const char *)); - int (*BIO_meth_get_gets(BIO_METHOD *biom)) (BIO *, char *, int); + int (*BIO_meth_get_gets(const BIO_METHOD *biom)) (BIO *, char *, int); int BIO_meth_set_gets(BIO_METHOD *biom, int (*gets) (BIO *, char *, int)); - long (*BIO_meth_get_ctrl(BIO_METHOD *biom)) (BIO *, int, long, void *); + long (*BIO_meth_get_ctrl(const BIO_METHOD *biom)) (BIO *, int, long, void *); int BIO_meth_set_ctrl(BIO_METHOD *biom, long (*ctrl) (BIO *, int, long, void *)); - int (*BIO_meth_get_create(BIO_METHOD *bion)) (BIO *); + int (*BIO_meth_get_create(const BIO_METHOD *bion)) (BIO *); int BIO_meth_set_create(BIO_METHOD *biom, int (*create) (BIO *)); - int (*BIO_meth_get_destroy(BIO_METHOD *biom)) (BIO *); + int (*BIO_meth_get_destroy(const BIO_METHOD *biom)) (BIO *); int BIO_meth_set_destroy(BIO_METHOD *biom, int (*destroy) (BIO *)); - long (*BIO_meth_get_callback_ctrl(BIO_METHOD *biom)) + long (*BIO_meth_get_callback_ctrl(const BIO_METHOD *biom)) (BIO *, int, BIO_info_cb *); int BIO_meth_set_callback_ctrl(BIO_METHOD *biom, long (*callback_ctrl) (BIO *, int, @@ -121,7 +121,7 @@ The functions described here were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/BN_add.pod b/deps/openssl/openssl/doc/crypto/BN_add.pod index db3b0d45b4..b2c5dd2cc5 100644 --- a/deps/openssl/openssl/doc/crypto/BN_add.pod +++ b/deps/openssl/openssl/doc/crypto/BN_add.pod @@ -92,7 +92,9 @@ BN_exp() raises I<a> to the I<p>-th power and places the result in I<r> BN_mul(). BN_mod_exp() computes I<a> to the I<p>-th power modulo I<m> (C<r=a^p % -m>). This function uses less time and space than BN_exp(). +m>). This function uses less time and space than BN_exp(). Do not call this +function when B<m> is even and any of the parameters have the +B<BN_FLG_CONSTTIME> flag set. BN_gcd() computes the greatest common divisor of I<a> and I<b> and places the result in I<r>. I<r> may be the same B<BIGNUM> as I<a> or @@ -117,7 +119,7 @@ L<BN_add_word(3)>, L<BN_set_bit(3)> =head1 COPYRIGHT -Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/BN_bn2bin.pod b/deps/openssl/openssl/doc/crypto/BN_bn2bin.pod index ac46948477..c9ca33fd13 100644 --- a/deps/openssl/openssl/doc/crypto/BN_bn2bin.pod +++ b/deps/openssl/openssl/doc/crypto/BN_bn2bin.pod @@ -55,8 +55,8 @@ freed later using OPENSSL_free(). BN_hex2bn() takes as many characters as possible from the string B<str>, including the leading character '-' which means negative, to form a valid hexadecimal number representation and converts them to a B<BIGNUM> and -stores it in **B<bn>. If *B<bn> is NULL, a new B<BIGNUM> is created. If -B<bn> is NULL, it only computes the length of valid representation. +stores it in **B<a>. If *B<a> is NULL, a new B<BIGNUM> is created. If +B<a> is NULL, it only computes the length of valid representation. A "negative zero" is converted to zero. BN_dec2bn() is the same using the decimal system. @@ -106,7 +106,7 @@ L<BN_num_bytes(3)> =head1 COPYRIGHT -Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/BN_generate_prime.pod b/deps/openssl/openssl/doc/crypto/BN_generate_prime.pod index c97536b5c4..4cd667e2e3 100644 --- a/deps/openssl/openssl/doc/crypto/BN_generate_prime.pod +++ b/deps/openssl/openssl/doc/crypto/BN_generate_prime.pod @@ -100,7 +100,17 @@ If B<do_trial_division == 0>, this test is skipped. Both BN_is_prime_ex() and BN_is_prime_fasttest_ex() perform a Miller-Rabin probabilistic primality test with B<nchecks> iterations. If B<nchecks == BN_prime_checks>, a number of iterations is used that -yields a false positive rate of at most 2^-80 for random input. +yields a false positive rate of at most 2^-64 for random input. +The error rate depends on the size of the prime and goes down for bigger primes. +The rate is 2^-80 starting at 308 bits, 2^-112 at 852 bits, 2^-128 at 1080 bits, +2^-192 at 3747 bits and 2^-256 at 6394 bits. + +When the source of the prime is not random or not trusted, the number +of checks needs to be much higher to reach the same level of assurance: +It should equal half of the targeted security level in bits (rounded up to the +next integer if necessary). +For instance, to reach the 128 bit security level, B<nchecks> should be set to +64. If B<cb> is not B<NULL>, B<BN_GENCB_call(cb, 1, j)> is called after the j-th iteration (j = 0, 1, ...). B<ctx> is a @@ -184,7 +194,7 @@ and BN_GENCB_get_arg() were added in OpenSSL 1.1.0 =head1 COPYRIGHT -Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/CMS_encrypt.pod b/deps/openssl/openssl/doc/crypto/CMS_encrypt.pod index 0ed42628c3..cbd5a21353 100644 --- a/deps/openssl/openssl/doc/crypto/CMS_encrypt.pod +++ b/deps/openssl/openssl/doc/crypto/CMS_encrypt.pod @@ -18,9 +18,8 @@ B<cipher> is the symmetric cipher to use. B<flags> is an optional set of flags. =head1 NOTES -Only certificates carrying RSA keys are supported so the recipient certificates -supplied to this function must all contain RSA public keys, though they do not -have to be signed using the RSA algorithm. +Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this +function. EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use because most clients will support it. @@ -94,7 +93,7 @@ The B<CMS_STREAM> flag was first supported in OpenSSL 1.0.0. =head1 COPYRIGHT -Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/CMS_get0_SignerInfos.pod b/deps/openssl/openssl/doc/crypto/CMS_get0_SignerInfos.pod index e5532c96f4..cea088857a 100644 --- a/deps/openssl/openssl/doc/crypto/CMS_get0_SignerInfos.pod +++ b/deps/openssl/openssl/doc/crypto/CMS_get0_SignerInfos.pod @@ -54,7 +54,7 @@ CMS_SignerInfo_set1_signer_cert(). Once all signer certificates have been set CMS_verify() can be used. -Although CMS_get0_SignerInfos() can return NULL is an error occur B<or> if +Although CMS_get0_SignerInfos() can return NULL if an error occurs B<or> if there are no signers this is not a problem in practice because the only error which can occur is if the B<cms> structure is not of type signedData due to application error. @@ -79,7 +79,7 @@ L<ERR_get_error(3)>, L<CMS_verify(3)> =head1 COPYRIGHT -Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/CMS_get1_ReceiptRequest.pod b/deps/openssl/openssl/doc/crypto/CMS_get1_ReceiptRequest.pod index 79f5f4232d..cb961be797 100644 --- a/deps/openssl/openssl/doc/crypto/CMS_get1_ReceiptRequest.pod +++ b/deps/openssl/openssl/doc/crypto/CMS_get1_ReceiptRequest.pod @@ -48,7 +48,7 @@ CMS_verify(). CMS_ReceiptRequest_create0() returns a signed receipt request structure or NULL if an error occurred. -CMS_add1_ReceiptRequest() returns 1 for success or 0 is an error occurred. +CMS_add1_ReceiptRequest() returns 1 for success or 0 if an error occurred. CMS_get1_ReceiptRequest() returns 1 is a signed receipt request is found and decoded. It returns 0 if a signed receipt request is not present and -1 if @@ -62,7 +62,7 @@ L<CMS_verify_receipt(3)> =head1 COPYRIGHT -Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/DH_meth_new.pod b/deps/openssl/openssl/doc/crypto/DH_meth_new.pod index d768da8c6e..ef0a80b195 100644 --- a/deps/openssl/openssl/doc/crypto/DH_meth_new.pod +++ b/deps/openssl/openssl/doc/crypto/DH_meth_new.pod @@ -19,7 +19,7 @@ DH_meth_set_generate_params - Routines to build up DH methods DH_METHOD *DH_meth_dup(const DH_METHOD *dhm); const char *DH_meth_get0_name(const DH_METHOD *dhm); int DH_meth_set1_name(DH_METHOD *dhm, const char *name); - int DH_meth_get_flags(DH_METHOD *dhm); + int DH_meth_get_flags(const DH_METHOD *dhm); int DH_meth_set_flags(DH_METHOD *dhm, int flags); void *DH_meth_get0_app_data(const DH_METHOD *dhm); int DH_meth_set0_app_data(DH_METHOD *dhm, void *app_data); @@ -146,7 +146,7 @@ The functions described here were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/DSA_meth_new.pod b/deps/openssl/openssl/doc/crypto/DSA_meth_new.pod index 948ab29b58..8ebf7ab6bc 100644 --- a/deps/openssl/openssl/doc/crypto/DSA_meth_new.pod +++ b/deps/openssl/openssl/doc/crypto/DSA_meth_new.pod @@ -21,7 +21,7 @@ DSA_meth_set_keygen - Routines to build up DSA methods DSA_METHOD *DSA_meth_dup(const DSA_METHOD *meth); const char *DSA_meth_get0_name(const DSA_METHOD *dsam); int DSA_meth_set1_name(DSA_METHOD *dsam, const char *name); - int DSA_meth_get_flags(DSA_METHOD *dsam); + int DSA_meth_get_flags(const DSA_METHOD *dsam); int DSA_meth_set_flags(DSA_METHOD *dsam, int flags); void *DSA_meth_get0_app_data(const DSA_METHOD *dsam); int DSA_meth_set0_app_data(DSA_METHOD *dsam, void *app_data); @@ -183,7 +183,7 @@ The functions described here were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/DSA_sign.pod b/deps/openssl/openssl/doc/crypto/DSA_sign.pod index ba0f6b863e..b91f89f073 100644 --- a/deps/openssl/openssl/doc/crypto/DSA_sign.pod +++ b/deps/openssl/openssl/doc/crypto/DSA_sign.pod @@ -24,13 +24,12 @@ digest B<dgst> using the private key B<dsa> and places its ASN.1 DER encoding at B<sigret>. The length of the signature is places in *B<siglen>. B<sigret> must point to DSA_size(B<dsa>) bytes of memory. -DSA_sign_setup() may be used to precompute part of the signing -operation in case signature generation is time-critical. It expects -B<dsa> to contain DSA parameters. It places the precomputed values -in newly allocated B<BIGNUM>s at *B<kinvp> and *B<rp>, after freeing -the old ones unless *B<kinvp> and *B<rp> are NULL. These values may -be passed to DSA_sign() in B<dsa-E<gt>kinv> and B<dsa-E<gt>r>. -B<ctx> is a pre-allocated B<BN_CTX> or NULL. +DSA_sign_setup() is defined only for backward binary compatibility and +should not be used. +Since OpenSSL 1.1.0 the DSA type is opaque and the output of +DSA_sign_setup() cannot be used anyway: calling this function will only +cause overhead, and does not affect the actual signature +(pre-)computation. DSA_verify() verifies that the signature B<sigbuf> of size B<siglen> matches a given message digest B<dgst> of size B<len>. @@ -60,7 +59,7 @@ L<DSA_do_sign(3)> =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/ECDSA_SIG_new.pod b/deps/openssl/openssl/doc/crypto/ECDSA_SIG_new.pod index 9e1f662c62..f544ccbb32 100644 --- a/deps/openssl/openssl/doc/crypto/ECDSA_SIG_new.pod +++ b/deps/openssl/openssl/doc/crypto/ECDSA_SIG_new.pod @@ -114,6 +114,8 @@ returned as a newly allocated B<ECDSA_SIG> structure (or NULL on error). =head1 RETURN VALUES +ECDSA_SIG_new() returns NULL if the allocation fails. + ECDSA_SIG_set0() returns 1 on success or 0 on failure. ECDSA_size() returns the maximum length signature or 0 on error. @@ -197,7 +199,7 @@ L<EVP_DigestVerifyInit(3)> =head1 COPYRIGHT -Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/EVP_DigestInit.pod b/deps/openssl/openssl/doc/crypto/EVP_DigestInit.pod index bb7ef7a28f..1dc76cbdf8 100644 --- a/deps/openssl/openssl/doc/crypto/EVP_DigestInit.pod +++ b/deps/openssl/openssl/doc/crypto/EVP_DigestInit.pod @@ -3,11 +3,12 @@ =head1 NAME EVP_MD_CTX_new, EVP_MD_CTX_reset, EVP_MD_CTX_free, EVP_MD_CTX_copy_ex, +EVP_MD_CTX_set_flags, EVP_MD_CTX_clear_flags, EVP_MD_CTX_test_flags, EVP_DigestInit_ex, EVP_DigestUpdate, EVP_DigestFinal_ex, EVP_DigestInit, EVP_DigestFinal, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, -EVP_MD_CTX_block_size, EVP_MD_CTX_type, EVP_md_null, EVP_md2, EVP_md5, EVP_sha1, -EVP_sha224, EVP_sha256, EVP_sha384, EVP_sha512, EVP_mdc2, +EVP_MD_CTX_block_size, EVP_MD_CTX_type, EVP_MD_CTX_md_data, EVP_md_null, EVP_md2, +EVP_md5, EVP_sha1, EVP_sha224, EVP_sha256, EVP_sha384, EVP_sha512, EVP_mdc2, EVP_ripemd160, EVP_blake2b512, EVP_blake2s256, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj - EVP digest routines @@ -18,6 +19,9 @@ EVP_get_digestbynid, EVP_get_digestbyobj - EVP digest routines EVP_MD_CTX *EVP_MD_CTX_new(void); int EVP_MD_CTX_reset(EVP_MD_CTX *ctx); void EVP_MD_CTX_free(EVP_MD_CTX *ctx); + void EVP_MD_CTX_set_flags(EVP_MD_CTX *ctx, int flags); + void EVP_MD_CTX_clear_flags(EVP_MD_CTX *ctx, int flags); + int EVP_MD_CTX_test_flags(const EVP_MD_CTX *ctx, int flags); int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl); int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt); @@ -41,6 +45,7 @@ EVP_get_digestbynid, EVP_get_digestbyobj - EVP digest routines int EVP_MD_CTX_size(const EVP_MD *ctx); int EVP_MD_CTX_block_size(const EVP_MD *ctx); int EVP_MD_CTX_type(const EVP_MD *ctx); + void *EVP_MD_CTX_md_data(const EVP_MD_CTX *ctx); const EVP_MD *EVP_md_null(void); const EVP_MD *EVP_md2(void); @@ -73,6 +78,9 @@ to reuse an already existing context. EVP_MD_CTX_free() cleans up digest context B<ctx> and frees up the space allocated to it. +EVP_MD_CTX_set_flags(), EVP_MD_CTX_clear_flags() and EVP_MD_CTX_test_flags() +sets, clears and tests B<ctx> flags. See L</FLAGS> below for more information. + EVP_DigestInit_ex() sets up digest context B<ctx> to use a digest B<type> from ENGINE B<impl>. B<ctx> must be initialized before calling this function. B<type> will typically be supplied by a function such as EVP_sha1(). @@ -117,6 +125,11 @@ representing the given message digest when passed an B<EVP_MD> structure. For example EVP_MD_type(EVP_sha1()) returns B<NID_sha1>. This function is normally used when setting ASN1 OIDs. +EVP_MD_CTX_md_data() return the digest method private data for the passed +B<EVP_MD_CTX>. +The space is allocated by OpenSSL and has the size originally set with +EVP_MD_meth_set_app_datasize(). + EVP_MD_CTX_md() returns the B<EVP_MD> structure corresponding to the passed B<EVP_MD_CTX>. @@ -139,6 +152,38 @@ EVP_get_digestbyname(), EVP_get_digestbynid() and EVP_get_digestbyobj() return an B<EVP_MD> structure when passed a digest name, a digest NID or an ASN1_OBJECT structure respectively. +=head1 FLAGS + +EVP_MD_CTX_set_flags(), EVP_MD_CTX_clear_flags() and EVP_MD_CTX_test_flags() +can be used the manipulate and test these B<EVP_MD_CTX> flags: + +=over 4 + +=item EVP_MD_CTX_FLAG_ONESHOT + +This flag instructs the digest to optimize for one update only, if possible. + +=for comment EVP_MD_CTX_FLAG_CLEANED is internal, don't mention it + +=for comment EVP_MD_CTX_FLAG_REUSE is internal, don't mention it + +=for comment We currently avoid documenting flags that are only bit holder: +EVP_MD_CTX_FLAG_NON_FIPS_ALLOW, EVP_MD_CTX_FLAGS_PAD_* + +=item EVP_MD_CTX_FLAG_NO_INIT + +This flag instructs EVP_DigestInit() and similar not to initialise the +implementation specific data. + +=item EVP_MD_CTX_FLAG_FINALISE + +Some functions such as EVP_DigestSign only finalise copies of internal +contexts so additional data can be included after the finalisation call. +This is inefficient if this functionality is not required, and can be +disabled with this flag. + +=back + =head1 RETURN VALUES EVP_DigestInit_ex(), EVP_DigestUpdate() and EVP_DigestFinal_ex() return 1 for @@ -249,7 +294,7 @@ was removed in OpenSSL 1.1.0 =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/EVP_DigestSignInit.pod b/deps/openssl/openssl/doc/crypto/EVP_DigestSignInit.pod index 7ec06b7a27..5fadc82e6a 100644 --- a/deps/openssl/openssl/doc/crypto/EVP_DigestSignInit.pod +++ b/deps/openssl/openssl/doc/crypto/EVP_DigestSignInit.pod @@ -21,7 +21,48 @@ EVP_DigestSignInit() sets up signing context B<ctx> to use digest B<type> from ENGINE B<impl> and private key B<pkey>. B<ctx> must be created with EVP_MD_CTX_new() before calling this function. If B<pctx> is not NULL the EVP_PKEY_CTX of the signing operation will be written to B<*pctx>: this can -be used to set alternative signing options. +be used to set alternative signing options. The digest B<type> may be NULL if +the signing algorithm supports it. + +Only EVP_PKEY types that support signing can be used with these functions. This +includes MAC algorithms where the MAC generation is considered as a form of +"signing." Built-in EVP_PKEY types supported by these functions are CMAC, DSA, +ECDSA, HMAC and RSA. + +Not all digests can be used for all key types. The following combinations apply. + +=over 4 + +=item DSA + +Supports SHA1, SHA224, SHA256, SHA384 and SHA512 + +=item ECDSA + +Supports SHA1, SHA224, SHA256, SHA384 and SHA512 + +=item RSA with no padding + +Supports no digests (the digest B<type> must be NULL) + +=item RSA with X931 padding + +Supports SHA1, SHA256, SHA384 and SHA512 + +=item All other RSA padding types + +Support SHA1, SHA224, SHA256, SHA384, SHA512, MD5, MD5_SHA1, MD2, MD4, MDC2, +RIPEMD160 + +=item HMAC + +Supports any digest + +=item CMAC + +Will ignore any digest provided. + +=back EVP_DigestSignUpdate() hashes B<cnt> bytes of data at B<d> into the signature context B<ctx>. This function can be called several times on the @@ -86,7 +127,7 @@ were first added to OpenSSL 1.0.0. =head1 COPYRIGHT -Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/EVP_PKEY_CTX_set_hkdf_md.pod b/deps/openssl/openssl/doc/crypto/EVP_PKEY_CTX_set_hkdf_md.pod index 61e0eec528..459e7a02ff 100644 --- a/deps/openssl/openssl/doc/crypto/EVP_PKEY_CTX_set_hkdf_md.pod +++ b/deps/openssl/openssl/doc/crypto/EVP_PKEY_CTX_set_hkdf_md.pod @@ -59,7 +59,7 @@ All these functions are implemented as macros. A context for HKDF can be obtained by calling: - EVP_PKEY_CTX *pctx = EVP_PKEY_new_id(EVP_PKEY_HKDF, NULL); + EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); The digest, key, salt and info values must be set before a key is derived or an error occurs. @@ -118,7 +118,7 @@ L<EVP_PKEY_derive(3)> =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/EVP_PKEY_CTX_set_tls1_prf_md.pod b/deps/openssl/openssl/doc/crypto/EVP_PKEY_CTX_set_tls1_prf_md.pod index f1f0ae4fbe..fe35a5ece8 100644 --- a/deps/openssl/openssl/doc/crypto/EVP_PKEY_CTX_set_tls1_prf_md.pod +++ b/deps/openssl/openssl/doc/crypto/EVP_PKEY_CTX_set_tls1_prf_md.pod @@ -50,7 +50,7 @@ All these functions are implemented as macros. A context for the TLS PRF can be obtained by calling: - EVP_PKEY_CTX *pctx = EVP_PKEY_new_id(EVP_PKEY_TLS1_PRF, NULL); + EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL); The digest, secret value and seed must be set before a key is derived or an error occurs. @@ -98,7 +98,7 @@ L<EVP_PKEY_derive(3)> =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/EVP_PKEY_asn1_get_count.pod b/deps/openssl/openssl/doc/crypto/EVP_PKEY_asn1_get_count.pod index a190f5e9ab..9ad2daed4f 100644 --- a/deps/openssl/openssl/doc/crypto/EVP_PKEY_asn1_get_count.pod +++ b/deps/openssl/openssl/doc/crypto/EVP_PKEY_asn1_get_count.pod @@ -48,7 +48,7 @@ engine that implements it. EVP_PKEY_asn1_get0_info() returns the public key ID, base public key ID (both NIDs), any flags, the method description and PEM type string -associated with the public key ASN.1 method B<*ameth>. +associated with the public key ASN.1 method B<*ameth>. EVP_PKEY_asn1_count(), EVP_PKEY_asn1_get0(), EVP_PKEY_asn1_find() and EVP_PKEY_asn1_find_str() are not thread safe, but as long as all diff --git a/deps/openssl/openssl/doc/crypto/OBJ_nid2obj.pod b/deps/openssl/openssl/doc/crypto/OBJ_nid2obj.pod index 3ada6679cf..c84adb2e46 100644 --- a/deps/openssl/openssl/doc/crypto/OBJ_nid2obj.pod +++ b/deps/openssl/openssl/doc/crypto/OBJ_nid2obj.pod @@ -54,7 +54,7 @@ constants. OBJ_nid2obj(), OBJ_nid2ln() and OBJ_nid2sn() convert the NID B<n> to an ASN1_OBJECT structure, its long name and its short name respectively, -or B<NULL> is an error occurred. +or B<NULL> if an error occurred. OBJ_obj2nid(), OBJ_ln2nid(), OBJ_sn2nid() return the corresponding NID for the object B<o>, the long name <ln> or the short name <sn> respectively @@ -188,7 +188,7 @@ OBJ_cleanup() was deprecated in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/OCSP_resp_find_status.pod b/deps/openssl/openssl/doc/crypto/OCSP_resp_find_status.pod index 5123f0ad6d..e014df500b 100644 --- a/deps/openssl/openssl/doc/crypto/OCSP_resp_find_status.pod +++ b/deps/openssl/openssl/doc/crypto/OCSP_resp_find_status.pod @@ -7,7 +7,8 @@ OCSP_resp_get0_signer, OCSP_resp_get0_id, OCSP_resp_get0_produced_at, OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find, -OCSP_single_get0_status, OCSP_check_validity +OCSP_single_get0_status, OCSP_check_validity, +OCSP_basic_verify - OCSP response utility functions =head1 SYNOPSIS @@ -44,6 +45,9 @@ OCSP_single_get0_status, OCSP_check_validity ASN1_GENERALIZEDTIME *nextupd, long sec, long maxsec); + int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, + X509_STORE *st, unsigned long flags); + =head1 DESCRIPTION OCSP_resp_find_status() searches B<bs> for an OCSP response for B<id>. If it is @@ -93,6 +97,27 @@ OCSP_single_get0_status(). If B<sec> is non-zero it indicates how many seconds leeway should be allowed in the check. If B<maxsec> is positive it indicates the maximum age of B<thisupd> in seconds. +OCSP_basic_verify() checks that the basic response message B<bs> is correctly +signed and that the signer certificate can be validated. It takes B<st> as +the trusted store and B<certs> as a set of untrusted intermediate certificates. +The function first tries to find the signer certificate of the response +in <certs>. It also searches the certificates the responder may have included +in B<bs> unless the B<flags> contain B<OCSP_NOINTERN>. +It fails if the signer certificate cannot be found. +Next, the function checks the signature of B<bs> and fails on error +unless the B<flags> contain B<OCSP_NOSIGS>. Then the function already returns +success if the B<flags> contain B<OCSP_NOVERIFY> or if the signer certificate +was found in B<certs> and the B<flags> contain B<OCSP_TRUSTOTHER>. +Otherwise the function continues by validating the signer certificate. +To this end, all certificates in B<cert> and in B<bs> are considered as +untrusted certificates for the construction of the validation path for the +signer certificate unless the B<OCSP_NOCHAIN> flag is set. After successful path +validation the function returns success if the B<OCSP_NOCHECKS> flag is set. +Otherwise it verifies that the signer certificate meets the OCSP issuer +criteria including potential delegation. If this does not succeed and the +B<flags> do not contain B<OCSP_NOEXPLICIT> the function checks for explicit +trust for OCSP signing in the root CA certificate. + =head1 RETURN VALUES OCSP_resp_find_status() returns 1 if B<id> is found in B<bs> and 0 otherwise. @@ -112,6 +137,9 @@ occurred. OCSP_resp_get0_signer() returns 1 if the signing certificate was located, or 0 on error. +OCSP_basic_verify() returns 1 on success, 0 on error, or -1 on fatal error such +as malloc failure. + =head1 NOTES Applications will typically call OCSP_resp_find_status() using the certificate @@ -142,7 +170,7 @@ L<OCSP_sendreq_new(3)> =head1 COPYRIGHT -Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/OPENSSL_VERSION_NUMBER.pod b/deps/openssl/openssl/doc/crypto/OPENSSL_VERSION_NUMBER.pod index f50faec772..f5429d217e 100644 --- a/deps/openssl/openssl/doc/crypto/OPENSSL_VERSION_NUMBER.pod +++ b/deps/openssl/openssl/doc/crypto/OPENSSL_VERSION_NUMBER.pod @@ -47,11 +47,6 @@ number was therefore 0x0090581f. OpenSSL_version_num() returns the version number. -The macro OPENSSL_VERSION_AT_LEAST(major,minor) can be used at compile -time test if the current version is at least as new as the version provided. -The arguments major, minor and fix correspond to the version information -as given above. - OpenSSL_version() returns different strings depending on B<t>: =over 4 diff --git a/deps/openssl/openssl/doc/crypto/OPENSSL_init_crypto.pod b/deps/openssl/openssl/doc/crypto/OPENSSL_init_crypto.pod index f0b3c8aa8d..f9664ee352 100644 --- a/deps/openssl/openssl/doc/crypto/OPENSSL_init_crypto.pod +++ b/deps/openssl/openssl/doc/crypto/OPENSSL_init_crypto.pod @@ -190,10 +190,10 @@ resources should be freed at an earlier time, or under the circumstances described in the NOTES section below. The B<OPENSSL_INIT_LOAD_CONFIG> flag will load a default configuration -file. To specify a different file, an B<OPENSSL_INIT_SETTINGS> must -be created and used. The routines -OPENSSL_init_new() and OPENSSL_INIT_set_config_appname() can be used to -allocate the object and set the application name, and then the +file. For optional configuration file settings, an B<OPENSSL_INIT_SETTINGS> +must be created and used. +The routines OPENSSL_init_new() and OPENSSL_INIT_set_config_appname() can +be used to allocate the object and set the application name, and then the object can be released with OPENSSL_INIT_free() when done. =head1 NOTES @@ -235,7 +235,7 @@ and OPENSSL_INIT_free() functions were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/OPENSSL_malloc.pod b/deps/openssl/openssl/doc/crypto/OPENSSL_malloc.pod index 2104f43108..ba5dc1069f 100644 --- a/deps/openssl/openssl/doc/crypto/OPENSSL_malloc.pod +++ b/deps/openssl/openssl/doc/crypto/OPENSSL_malloc.pod @@ -68,8 +68,8 @@ CRYPTO_mem_leaks, CRYPTO_mem_leaks_fp - Memory allocation functions int CRYPTO_mem_debug_push(const char *info, const char *file, int line); int CRYPTO_mem_debug_pop(void); - void CRYPTO_mem_leaks(BIO *b); - void CRYPTO_mem_leaks_fp(FILE *fp); + int CRYPTO_mem_leaks(BIO *b); + int CRYPTO_mem_leaks_fp(FILE *fp); =head1 DESCRIPTION @@ -197,7 +197,7 @@ only, say, the malloc() implementation is outright dangerous.> =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/PEM_read_bio_PrivateKey.pod b/deps/openssl/openssl/doc/crypto/PEM_read_bio_PrivateKey.pod index 6b3006ef35..b0ba62a3b3 100644 --- a/deps/openssl/openssl/doc/crypto/PEM_read_bio_PrivateKey.pod +++ b/deps/openssl/openssl/doc/crypto/PEM_read_bio_PrivateKey.pod @@ -294,7 +294,7 @@ for it twice) if B<rwflag> is 1. The B<u> parameter has the same value as the B<u> parameter passed to the PEM routine. It allows arbitrary data to be passed to the callback by the application (for example a window handle in a GUI application). The callback -B<must> return the number of characters in the passphrase or 0 if +B<must> return the number of characters in the passphrase or -1 if an error occurred. =head1 EXAMPLES @@ -348,17 +348,16 @@ Skeleton pass phrase callback: int pass_cb(char *buf, int size, int rwflag, void *u) { - int len; - char *tmp; /* We'd probably do something else if 'rwflag' is 1 */ printf("Enter pass phrase for \"%s\"\n", (char *)u); /* get pass phrase, length 'len' into 'tmp' */ - tmp = "hello"; - len = strlen(tmp); - if (len <= 0) - return 0; + char *tmp = "hello"; + if (tmp == NULL) /* An error occurred */ + return -1; + + size_t len = strlen(tmp); if (len > size) len = size; @@ -471,7 +470,7 @@ L<EVP_EncryptInit(3)>, L<EVP_BytesToKey(3)> =head1 COPYRIGHT -Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/RSA_meth_new.pod b/deps/openssl/openssl/doc/crypto/RSA_meth_new.pod index 9970aa6b73..9c89426a9a 100644 --- a/deps/openssl/openssl/doc/crypto/RSA_meth_new.pod +++ b/deps/openssl/openssl/doc/crypto/RSA_meth_new.pod @@ -24,7 +24,7 @@ RSA_meth_set_verify, RSA_meth_get_keygen, RSA_meth_set_keygen RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth); const char *RSA_meth_get0_name(const RSA_METHOD *meth); int RSA_meth_set1_name(RSA_METHOD *meth, const char *name); - int RSA_meth_get_flags(RSA_METHOD *meth); + int RSA_meth_get_flags(const RSA_METHOD *meth); int RSA_meth_set_flags(RSA_METHOD *meth, int flags); void *RSA_meth_get0_app_data(const RSA_METHOD *meth); int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data); @@ -225,7 +225,7 @@ The functions described here were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/SMIME_read_PKCS7.pod b/deps/openssl/openssl/doc/crypto/SMIME_read_PKCS7.pod index 3eb8bbc9a0..c11090891a 100644 --- a/deps/openssl/openssl/doc/crypto/SMIME_read_PKCS7.pod +++ b/deps/openssl/openssl/doc/crypto/SMIME_read_PKCS7.pod @@ -57,7 +57,7 @@ streaming single pass option should be available. =head1 RETURN VALUES SMIME_read_PKCS7() returns a valid B<PKCS7> structure or B<NULL> -is an error occurred. The error can be obtained from ERR_get_error(3). +if an error occurred. The error can be obtained from ERR_get_error(3). =head1 SEE ALSO @@ -68,7 +68,7 @@ L<PKCS7_decrypt(3)> =head1 COPYRIGHT -Copyright 2002-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/UI_STRING.pod b/deps/openssl/openssl/doc/crypto/UI_STRING.pod index 8a0d9f2d25..340d9b2ae2 100644 --- a/deps/openssl/openssl/doc/crypto/UI_STRING.pod +++ b/deps/openssl/openssl/doc/crypto/UI_STRING.pod @@ -132,3 +132,4 @@ in the file LICENSE in the source distribution or at L<https://www.openssl.org/source/license.html>. =cut + diff --git a/deps/openssl/openssl/doc/crypto/X509_LOOKUP_hash_dir.pod b/deps/openssl/openssl/doc/crypto/X509_LOOKUP_hash_dir.pod index 5f8dfa93b0..4f2768d4f4 100644 --- a/deps/openssl/openssl/doc/crypto/X509_LOOKUP_hash_dir.pod +++ b/deps/openssl/openssl/doc/crypto/X509_LOOKUP_hash_dir.pod @@ -117,10 +117,11 @@ L<PEM_read_PrivateKey(3)>, L<X509_STORE_load_locations(3)>, L<X509_store_add_lookup(3)>, L<SSL_CTX_load_verify_locations(3)>, +L<X509_LOOKUP_meth_new(3)>, =head1 COPYRIGHT -Copyright 2015-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/X509_LOOKUP_meth_new.pod b/deps/openssl/openssl/doc/crypto/X509_LOOKUP_meth_new.pod new file mode 100644 index 0000000000..fb165fd6ad --- /dev/null +++ b/deps/openssl/openssl/doc/crypto/X509_LOOKUP_meth_new.pod @@ -0,0 +1,189 @@ +=pod + +=head1 NAME + +X509_LOOKUP_meth_new, X509_LOOKUP_meth_free, X509_LOOKUP_meth_set_new_item, +X509_LOOKUP_meth_get_new_item, X509_LOOKUP_meth_set_free, +X509_LOOKUP_meth_get_free, X509_LOOKUP_meth_set_init, +X509_LOOKUP_meth_get_init, X509_LOOKUP_meth_set_shutdown, +X509_LOOKUP_meth_get_shutdown, +X509_LOOKUP_ctrl_fn, X509_LOOKUP_meth_set_ctrl, X509_LOOKUP_meth_get_ctrl, +X509_LOOKUP_get_by_subject_fn, X509_LOOKUP_meth_set_get_by_subject, +X509_LOOKUP_meth_get_get_by_subject, +X509_LOOKUP_get_by_issuer_serial_fn, X509_LOOKUP_meth_set_get_by_issuer_serial, +X509_LOOKUP_meth_get_get_by_issuer_serial, +X509_LOOKUP_get_by_fingerprint_fn, X509_LOOKUP_meth_set_get_by_fingerprint, +X509_LOOKUP_meth_get_get_by_fingerprint, +X509_LOOKUP_get_by_alias_fn, X509_LOOKUP_meth_set_get_by_alias, +X509_LOOKUP_meth_get_get_by_alias, +X509_LOOKUP_set_method_data, X509_LOOKUP_get_method_data, +X509_LOOKUP_get_store, X509_OBJECT_set1_X509, X509_OBJECT_set1_X509_CRL +- Routines to build up X509_LOOKUP methods + +=head1 SYNOPSIS + + #include <openssl/x509_vfy.h> + + X509_LOOKUP_METHOD *X509_LOOKUP_meth_new(const char *name); + void X509_LOOKUP_meth_free(X509_LOOKUP_METHOD *method); + + int X509_LOOKUP_meth_set_new_item(X509_LOOKUP_METHOD *method, + int (*new_item) (X509_LOOKUP *ctx)); + int (*X509_LOOKUP_meth_get_new_item(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx); + + int X509_LOOKUP_meth_set_free(X509_LOOKUP_METHOD *method, + void (*free) (X509_LOOKUP *ctx)); + void (*X509_LOOKUP_meth_get_free(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx); + + int X509_LOOKUP_meth_set_init(X509_LOOKUP_METHOD *method, + int (*init) (X509_LOOKUP *ctx)); + int (*X509_LOOKUP_meth_get_init(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx); + + int X509_LOOKUP_meth_set_shutdown(X509_LOOKUP_METHOD *method, + int (*shutdown) (X509_LOOKUP *ctx)); + int (*X509_LOOKUP_meth_get_shutdown(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx); + + typedef int (*X509_LOOKUP_ctrl_fn)(X509_LOOKUP *ctx, int cmd, const char *argc, + long argl, char **ret); + int X509_LOOKUP_meth_set_ctrl(X509_LOOKUP_METHOD *method, + X509_LOOKUP_ctrl_fn ctrl_fn); + X509_LOOKUP_ctrl_fn X509_LOOKUP_meth_get_ctrl(const X509_LOOKUP_METHOD *method); + + typedef int (*X509_LOOKUP_get_by_subject_fn)(X509_LOOKUP *ctx, + X509_LOOKUP_TYPE type, + X509_NAME *name, + X509_OBJECT *ret); + int X509_LOOKUP_meth_set_get_by_subject(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_subject_fn fn); + X509_LOOKUP_get_by_subject_fn X509_LOOKUP_meth_get_get_by_subject( + const X509_LOOKUP_METHOD *method); + + typedef int (*X509_LOOKUP_get_by_issuer_serial_fn)(X509_LOOKUP *ctx, + X509_LOOKUP_TYPE type, + X509_NAME *name, + ASN1_INTEGER *serial, + X509_OBJECT *ret); + int X509_LOOKUP_meth_set_get_by_issuer_serial( + X509_LOOKUP_METHOD *method, X509_LOOKUP_get_by_issuer_serial_fn fn); + X509_LOOKUP_get_by_issuer_serial_fn X509_LOOKUP_meth_get_get_by_issuer_serial( + const X509_LOOKUP_METHOD *method); + + typedef int (*X509_LOOKUP_get_by_fingerprint_fn)(X509_LOOKUP *ctx, + X509_LOOKUP_TYPE type, + const unsigned char* bytes, + int len, + X509_OBJECT *ret); + int X509_LOOKUP_meth_set_get_by_fingerprint(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_fingerprint_fn fn); + X509_LOOKUP_get_by_fingerprint_fn X509_LOOKUP_meth_get_get_by_fingerprint( + const X509_LOOKUP_METHOD *method); + + typedef int (*X509_LOOKUP_get_by_alias_fn)(X509_LOOKUP *ctx, + X509_LOOKUP_TYPE type, + const char *str, + int len, + X509_OBJECT *ret); + int X509_LOOKUP_meth_set_get_by_alias(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_alias_fn fn); + X509_LOOKUP_get_by_alias_fn X509_LOOKUP_meth_get_get_by_alias( + const X509_LOOKUP_METHOD *method); + + int X509_LOOKUP_set_method_data(X509_LOOKUP *ctx, void *data); + void *X509_LOOKUP_get_method_data(const X509_LOOKUP *ctx); + + X509_STORE *X509_LOOKUP_get_store(const X509_LOOKUP *ctx); + + int X509_OBJECT_set1_X509(X509_OBJECT *a, X509 *obj); + int X509_OBJECT_set1_X509_CRL(X509_OBJECT *a, X509_CRL *obj); + +=head1 DESCRIPTION + +The B<X509_LOOKUP_METHOD> type is a structure used for the implementation of new +X509_LOOKUP types. It provides a set of functions used by OpenSSL for the +implementation of various X509 and X509_CRL lookup capabilities. One instance +of an X509_LOOKUP_METHOD can be associated to many instantiations of an +B<X509_LOOKUP> structure. + +X509_LOOKUP_meth_new() creates a new B<X509_LOOKUP_METHOD> structure. It should +be given a human-readable string containing a brief description of the lookup +method. + +X509_LOOKUP_meth_free() destroys a B<X509_LOOKUP_METHOD> structure. + +X509_LOOKUP_get_new_item() and X509_LOOKUP_set_new_item() get and set the +function that is called when an B<X509_LOOKUP> object is created with +X509_LOOKUP_new(). If an X509_LOOKUP_METHOD requires any per-X509_LOOKUP +specific data, the supplied new_item function should allocate this data and +invoke X509_LOOKUP_set_method_data(). + +X509_LOOKUP_get_free() and X509_LOOKUP_set_free() get and set the function +that is used to free any method data that was allocated and set from within +new_item function. + +X509_LOOKUP_meth_get_init() and X509_LOOKUP_meth_set_init() get and set the +function that is used to initialize the method data that was set with +X509_LOOKUP_set_method_data() as part of the new_item routine. + +X509_LOOKUP_meth_get_shutdown() and X509_LOOKUP_meth_set_shutdown() get and set +the function that is used to shut down the method data whose state was +previously initialized in the init function. + +X509_LOOKUP_meth_get_ctrl() and X509_LOOKUP_meth_set_ctrl() get and set a +function to be used to handle arbitrary control commands issued by +X509_LOOKUP_ctrl(). The control function is given the X509_LOOKUP +B<ctx>, along with the arguments passed by X509_LOOKUP_ctrl. B<cmd> is +an arbitrary integer that defines some operation. B<argc> is a pointer +to an array of characters. B<argl> is an integer. B<ret>, if set, +points to a location where any return data should be written to. How +B<argc> and B<argl> are used depends entirely on the control function. + + +X509_LOOKUP_set_get_by_subject(), X509_LOOKUP_set_get_by_issuer_serial(), +X509_LOOKUP_set_get_by_fingerprint(), X509_LOOKUP_set_get_by_alias() set +the functions used to retrieve an X509 or X509_CRL object by the object's +subject, issuer, fingerprint, and alias respectively. These functions are given +the X509_LOOKUP context, the type of the X509_OBJECT being requested, parameters +related to the lookup, and an X509_OBJECT that will receive the requested +object. + +Implementations should use either X509_OBJECT_set1_X509() or +X509_OBJECT_set1_X509_CRL() to set the result. Any method data that was +created as a result of the new_item function set by +X509_LOOKUP_meth_set_new_item() can be accessed with +X509_LOOKUP_get_method_data(). The B<X509_STORE> object that owns the +X509_LOOKUP may be accessed with X509_LOOKUP_get_store(). Successful lookups +should return 1, and unsuccessful lookups should return 0. + +X509_LOOKUP_get_get_by_subject(), X509_LOOKUP_get_get_by_issuer_serial(), +X509_LOOKUP_get_get_by_fingerprint(), X509_LOOKUP_get_get_by_alias() retrieve +the function set by the corresponding setter. + +=head1 RETURN VALUES + +The B<X509_LOOKUP_meth_set> functions return 1 on success or 0 on error. + +The B<X509_LOOKUP_meth_get> functions return the corresponding function +pointers. + +=head1 SEE ALSO + +L<X509_STORE_new(3)>, L<SSL_CTX_set_cert_store(3)> + +=head1 HISTORY + +The functions described here were added in OpenSSL 1.1.0i. + +=head1 COPYRIGHT + +Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/deps/openssl/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/deps/openssl/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod index 5263facfd4..320b258a85 100644 --- a/deps/openssl/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +++ b/deps/openssl/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod @@ -11,7 +11,9 @@ X509_VERIFY_PARAM_get_auth_level, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_get_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies, X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host, -X509_VERIFY_PARAM_set_hostflags, X509_VERIFY_PARAM_get0_peername, +X509_VERIFY_PARAM_set_hostflags, +X509_VERIFY_PARAM_get_hostflags, +X509_VERIFY_PARAM_get0_peername, X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip, X509_VERIFY_PARAM_set1_ip_asc - X509 verification parameters @@ -54,6 +56,7 @@ X509_VERIFY_PARAM_set1_ip_asc const char *name, size_t namelen); void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, unsigned int flags); + unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param); char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param); int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const char *email, size_t emaillen); @@ -130,14 +133,32 @@ B<name> clearing any previously specified host name or names. If B<name> is NULL, or empty the list of hostnames is cleared, and name checks are not performed on the peer certificate. If B<name> is NUL-terminated, B<namelen> may be zero, otherwise B<namelen> -must be set to the length of B<name>. When a hostname is specified, +must be set to the length of B<name>. + +When a hostname is specified, certificate verification automatically invokes L<X509_check_host(3)> with flags equal to the B<flags> argument given to X509_VERIFY_PARAM_set_hostflags() (default zero). Applications are strongly advised to use this interface in preference to explicitly -calling L<X509_check_host(3)>, hostname checks are out of scope +calling L<X509_check_host(3)>, hostname checks may be out of scope with the DANE-EE(3) certificate usage, and the internal check will -be suppressed as appropriate when DANE support is added to OpenSSL. +be suppressed as appropriate when DANE verification is enabled. + +When the subject CommonName will not be ignored, whether as a result of the +B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT> host flag, or because no DNS subject +alternative names are present in the certificate, any DNS name constraints in +issuer certificates apply to the subject CommonName as well as the subject +alternative name extension. + +When the subject CommonName will be ignored, whether as a result of the +B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> host flag, or because some DNS subject +alternative names are present in the certificate, DNS name constraints in +issuer certificates will not be applied to the subject DN. +As described in X509_check_host(3) the B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> +flag takes precendence over the B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT> flag. + +X509_VERIFY_PARAM_get_hostflags() returns any host flags previously set via a +call to X509_VERIFY_PARAM_set_hostflags(). X509_VERIFY_PARAM_add1_host() adds B<name> as an additional reference identifier that can match the peer's certificate. Any previous names @@ -186,6 +207,8 @@ failure. X509_VERIFY_PARAM_get_flags() returns the current verification flags. +X509_VERIFY_PARAM_get_hostflags() returns any current host flags. + X509_VERIFY_PARAM_get_inh_flags() returns the current inheritance flags. X509_VERIFY_PARAM_set_time() and X509_VERIFY_PARAM_set_depth() do not return @@ -347,6 +370,8 @@ The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.1.0 The legacy B<X509_V_FLAG_CB_ISSUER_CHECK> flag is deprecated as of OpenSSL 1.1.0, and has no effect. +X509_VERIFY_PARAM_get_hostflags() was added in OpenSSL 1.1.0i. + =head1 COPYRIGHT Copyright 2009-2018 The OpenSSL Project Authors. All Rights Reserved. diff --git a/deps/openssl/openssl/doc/crypto/X509_check_host.pod b/deps/openssl/openssl/doc/crypto/X509_check_host.pod index 93848152b5..fb9f6a64ec 100644 --- a/deps/openssl/openssl/doc/crypto/X509_check_host.pod +++ b/deps/openssl/openssl/doc/crypto/X509_check_host.pod @@ -93,6 +93,9 @@ consider the subject DN even if the certificate contains no subject alternative names of the right type (DNS name or email address as appropriate); the default is to use the subject DN when no corresponding subject alternative names are present. +If both B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT> and +B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> are specified, the latter takes +precedence and the subject DN is not checked for matching names. If set, B<X509_CHECK_FLAG_NO_WILDCARDS> disables wildcard expansion; this only applies to B<X509_check_host>. @@ -128,9 +131,9 @@ NULs. Applications are encouraged to use X509_VERIFY_PARAM_set1_host() rather than explicitly calling L<X509_check_host(3)>. Host name -checks are out of scope with the DANE-EE(3) certificate usage, +checks may be out of scope with the DANE-EE(3) certificate usage, and the internal checks will be suppressed as appropriate when -DANE support is added to OpenSSL. +DANE support is enabled. =head1 SEE ALSO @@ -147,7 +150,7 @@ These functions were added in OpenSSL 1.0.2. =head1 COPYRIGHT -Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/X509_cmp_time.pod b/deps/openssl/openssl/doc/crypto/X509_cmp_time.pod new file mode 100644 index 0000000000..5bf5111451 --- /dev/null +++ b/deps/openssl/openssl/doc/crypto/X509_cmp_time.pod @@ -0,0 +1,39 @@ +=pod + +=head1 NAME + +X509_cmp_time - X509 time functions + +=head1 SYNOPSIS + + X509_cmp_time(const ASN1_TIME *asn1_time, time_t *cmp_time); + +=head1 DESCRIPTION + +X509_cmp_time() compares the ASN1_TIME in B<asn1_time> with the time in +<cmp_time>. + +B<asn1_time> must satisfy the ASN1_TIME format mandated by RFC 5280, i.e., +its format must be either YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ. + +If B<cmp_time> is NULL the current time is used. + +=head1 BUGS + +Unlike many standard comparison functions, X509_cmp_time returns 0 on error. + +=head1 RETURN VALUES + +X509_cmp_time() returns -1 if B<asn1_time> is earlier than, or equal to, +B<cmp_time>, and 1 otherwise. It returns 0 on error. + +=head1 COPYRIGHT + +Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/deps/openssl/openssl/doc/crypto/bio.pod b/deps/openssl/openssl/doc/crypto/bio.pod index 7be3121fd1..1e1dd02106 100644 --- a/deps/openssl/openssl/doc/crypto/bio.pod +++ b/deps/openssl/openssl/doc/crypto/bio.pod @@ -87,3 +87,4 @@ in the file LICENSE in the source distribution or at L<https://www.openssl.org/source/license.html>. =cut + diff --git a/deps/openssl/openssl/doc/fingerprints.txt b/deps/openssl/openssl/doc/fingerprints.txt index 1863224df3..2cb74aec27 100644 --- a/deps/openssl/openssl/doc/fingerprints.txt +++ b/deps/openssl/openssl/doc/fingerprints.txt @@ -18,10 +18,7 @@ uid Richard Levitte <richard@opensslfoundation.com> uid Richard Levitte <levitte@openssl.org> uid Richard Levitte <richard@openssl.com> -pub 4096R/FA40E9E2 2005-03-19 - Key fingerprint = 6260 5AA4 334A F9F0 DDE5 D349 D357 7507 FA40 E9E2 -uid Dr Stephen N Henson <steve@openssl.org> - pub 2048R/0E604491 2013-04-30 Key fingerprint = 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491 +uid Matt Caswell <matt@openssl.org> uid Matt Caswell <frodo@baggins.org> diff --git a/deps/openssl/openssl/doc/openssl-c-indent.el b/deps/openssl/openssl/doc/openssl-c-indent.el index cca118303e..852f794f96 100644 --- a/deps/openssl/openssl/doc/openssl-c-indent.el +++ b/deps/openssl/openssl/doc/openssl-c-indent.el @@ -54,6 +54,7 @@ (arglist-close . c-lineup-arglist) ; From "gnu" style (inline-open . 0) ; From "gnu" style (brace-list-open . +) ; From "gnu" style + (inextern-lang . 0) ; Don't indent inside extern block (topmost-intro-cont first c-lineup-topmost-intro-cont c-lineup-gnu-DEFUN-intro-cont) ; From "gnu" style ) diff --git a/deps/openssl/openssl/doc/ssl/SSL_CONF_cmd.pod b/deps/openssl/openssl/doc/ssl/SSL_CONF_cmd.pod index a28e218332..12fdcab83c 100644 --- a/deps/openssl/openssl/doc/ssl/SSL_CONF_cmd.pod +++ b/deps/openssl/openssl/doc/ssl/SSL_CONF_cmd.pod @@ -506,10 +506,6 @@ Set supported curves to P-256, P-384: SSL_CONF_cmd(ctx, "Curves", "P-256:P-384"); -Set automatic support for any elliptic curve for key exchange: - - SSL_CONF_cmd(ctx, "ECDHParameters", "Automatic"); - =head1 RETURN VALUES SSL_CONF_cmd() returns 1 if the value of B<cmd> is recognised and B<value> is diff --git a/deps/openssl/openssl/doc/ssl/SSL_CTX_set_ctlog_list_file.pod b/deps/openssl/openssl/doc/ssl/SSL_CTX_set_ctlog_list_file.pod index 1dead1dbfc..4a2fa946fe 100644 --- a/deps/openssl/openssl/doc/ssl/SSL_CTX_set_ctlog_list_file.pod +++ b/deps/openssl/openssl/doc/ssl/SSL_CTX_set_ctlog_list_file.pod @@ -24,7 +24,7 @@ See L<CTLOG_STORE_new(3)> for the file format. =head1 NOTES These functions will not clear the existing CT log list - it will be appended -to. To replace the existing list, use L<SSL_CTX_set0_ctlog_store> first. +to. To replace the existing list, use L<SSL_CTX_set0_ctlog_store> first. If an error occurs whilst parsing a particular log entry in the file, that log entry will be skipped. diff --git a/deps/openssl/openssl/doc/ssl/SSL_CTX_use_certificate.pod b/deps/openssl/openssl/doc/ssl/SSL_CTX_use_certificate.pod index c645f58078..8ed7b5ea15 100644 --- a/deps/openssl/openssl/doc/ssl/SSL_CTX_use_certificate.pod +++ b/deps/openssl/openssl/doc/ssl/SSL_CTX_use_certificate.pod @@ -153,6 +153,13 @@ L<SSL_CTX_set_default_passwd_cb(3)>. of view, it however does not make sense as the data in the certificate is considered public anyway.) +All of the functions to set a new certificate will replace any existing +certificate of the same type that has already been set. Similarly all of the +functions to set a new private key will replace any private key that has already +been set. Applications should call L<SSL_CTX_check_private_key(3)> or +L<SSL_check_private_key(3)> as appropriate after loading a new certificate and +private key to confirm that the certificate and key match. + =head1 RETURN VALUES On success, the functions return 1. @@ -170,7 +177,7 @@ L<SSL_CTX_add_extra_chain_cert(3)> =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/ssl/SSL_get_ciphers.pod b/deps/openssl/openssl/doc/ssl/SSL_get_ciphers.pod index cc55095d47..2759cc3cc6 100644 --- a/deps/openssl/openssl/doc/ssl/SSL_get_ciphers.pod +++ b/deps/openssl/openssl/doc/ssl/SSL_get_ciphers.pod @@ -2,8 +2,12 @@ =head1 NAME -SSL_get1_supported_ciphers, SSL_get_client_ciphers, -SSL_get_ciphers, SSL_CTX_get_ciphers, SSL_get_cipher_list +SSL_get1_supported_ciphers, +SSL_get_client_ciphers, +SSL_get_ciphers, +SSL_CTX_get_ciphers, +SSL_get_cipher_list, +SSL_get_shared_ciphers - get list of available SSL_CIPHERs =head1 SYNOPSIS @@ -15,6 +19,7 @@ SSL_get_ciphers, SSL_CTX_get_ciphers, SSL_get_cipher_list STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s); STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *ssl); const char *SSL_get_cipher_list(const SSL *ssl, int priority); + char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size); =head1 DESCRIPTION @@ -25,16 +30,16 @@ is returned. SSL_CTX_get_ciphers() returns the stack of available SSL_CIPHERs for B<ctx>. SSL_get1_supported_ciphers() returns the stack of enabled SSL_CIPHERs for -B<ssl>, sorted by preference. +B<ssl> as would be sent in a ClientHello (that is, sorted by preference). The list depends on settings like the cipher list, the supported protocol versions, the security level, and the enabled signature algorithms. SRP and PSK ciphers are only enabled if the appropriate callbacks or settings have been applied. -This is the list that will be sent by the client to the server. -The list supported by the server might include more ciphers in case there is a -hole in the list of supported protocols. -The server will also not use ciphers from this list depending on the -configured certificates and DH parameters. +The list of ciphers that would be sent in a ClientHello can differ from +the list of ciphers that would be acceptable when acting as a server. +For example, additional ciphers may be usable by a server if there is +a gap in the list of supported protocols, and some ciphers may not be +usable by a server if there is not a suitable certificate configured. If B<ssl> is NULL or no ciphers are available, NULL is returned. SSL_get_client_ciphers() returns the stack of available SSL_CIPHERs matching the @@ -46,6 +51,19 @@ listed for B<ssl> with B<priority>. If B<ssl> is NULL, no ciphers are available, or there are less ciphers than B<priority> available, NULL is returned. +SSL_get_shared_ciphers() creates a colon separated and NUL terminated list of +SSL_CIPHER names that are available in both the client and the server. B<buf> is +the buffer that should be populated with the list of names and B<size> is the +size of that buffer. A pointer to B<buf> is returned on success or NULL on +error. If the supplied buffer is not large enough to contain the complete list +of names then a truncated list of names will be returned. Note that just because +a ciphersuite is available (i.e. it is configured in the cipher list) and shared +by both the client and the server it does not mean that it is enabled (see the +description of SSL_get1_supported_ciphers() above). This function will return +available shared ciphersuites whether or not they are enabled. This is a server +side function only and must only be called after the completion of the initial +handshake. + =head1 NOTES The details of the ciphers obtained by SSL_get_ciphers(), SSL_CTX_get_ciphers() @@ -74,7 +92,7 @@ L<SSL_CIPHER_get_name(3)> =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/ssl/SSL_get_session.pod b/deps/openssl/openssl/doc/ssl/SSL_get_session.pod index 99936ad765..2de241fcda 100644 --- a/deps/openssl/openssl/doc/ssl/SSL_get_session.pod +++ b/deps/openssl/openssl/doc/ssl/SSL_get_session.pod @@ -28,6 +28,11 @@ count of the B<SSL_SESSION> is incremented by one. The ssl session contains all information required to re-establish the connection without a new handshake. +A session will be automatically removed from the session cache and marked as +non-resumable if the connection is not closed down cleanly, e.g. if a fatal +error occurs on the connection or L<SSL_shutdown(3)> is not called prior to +L<SSL_free(3)>. + SSL_get0_session() returns a pointer to the actual session. As the reference counter is not incremented, the pointer is only valid while the connection is in use. If L<SSL_clear(3)> or @@ -72,7 +77,7 @@ L<SSL_SESSION_free(3)> =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/ssl/SSL_get_version.pod b/deps/openssl/openssl/doc/ssl/SSL_get_version.pod index 23b6497d4f..507ca9f362 100644 --- a/deps/openssl/openssl/doc/ssl/SSL_get_version.pod +++ b/deps/openssl/openssl/doc/ssl/SSL_get_version.pod @@ -15,7 +15,9 @@ SSL_get_version, SSL_is_dtls - get the protocol information of a connection =head1 DESCRIPTION SSL_get_version() returns the name of the protocol used for the -connection B<ssl>. +connection B<ssl>. It should only be called after the initial handshake has been +completed. Prior to that the results returned from this function may be +unreliable. SSL_is_dtls() returns one if the connection is using DTLS, zero if not. @@ -43,7 +45,7 @@ The connection uses the TLSv1.2 protocol. =item unknown -This indicates that no version has been set (no connection established). +This indicates an unknown protocol version. =back @@ -57,7 +59,7 @@ SSL_is_dtls() was added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/ssl/SSL_set1_host.pod b/deps/openssl/openssl/doc/ssl/SSL_set1_host.pod index 3339a0e803..715845e1f7 100644 --- a/deps/openssl/openssl/doc/ssl/SSL_set1_host.pod +++ b/deps/openssl/openssl/doc/ssl/SSL_set1_host.pod @@ -56,7 +56,7 @@ is cleared or freed, or a renegotiation takes place. Applications must not free the return value. SSL clients are advised to use these functions in preference to -explicitly calling L<X509_check_host(3)>. Hostname checks are out +explicitly calling L<X509_check_host(3)>. Hostname checks may be out of scope with the RFC7671 DANE-EE(3) certificate usage, and the internal check will be suppressed as appropriate when DANE is enabled. @@ -111,7 +111,7 @@ These functions were first added to OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/ssl/ssl.pod b/deps/openssl/openssl/doc/ssl/ssl.pod index 4d919072ea..da12e29c63 100644 --- a/deps/openssl/openssl/doc/ssl/ssl.pod +++ b/deps/openssl/openssl/doc/ssl/ssl.pod @@ -91,12 +91,6 @@ includes both more private SSL headers and headers from the B<crypto> library. Whenever you need hard-core details on the internals of the SSL API, look inside this header file. -OPENSSL_VERSION_AT_LEAST(major,minor) can be -used in C<#if> statements in order to determine which version of the library is -being used. This can be used to either enable optional features at compile -time, or work around issues with a previous version. -See L<OPENSSL_VERSION_NUMBER(3)>. - =item B<ssl2.h> Unused. Present for backwards compatibility only. @@ -574,7 +568,7 @@ fresh handle for each connection. =item SSL_SESSION *B<SSL_get_session>(const SSL *ssl); -=item char *B<SSL_get_shared_ciphers>(const SSL *ssl, char *buf, int len); +=item char *B<SSL_get_shared_ciphers>(const SSL *ssl, char *buf, int size); =item int B<SSL_get_shutdown>(const SSL *ssl); diff --git a/deps/openssl/openssl/engines/asm/e_padlock-x86.pl b/deps/openssl/openssl/engines/asm/e_padlock-x86.pl index fec99bfb65..bf6b312cd1 100644 --- a/deps/openssl/openssl/engines/asm/e_padlock-x86.pl +++ b/deps/openssl/openssl/engines/asm/e_padlock-x86.pl @@ -448,7 +448,7 @@ my ($mode,$opcode) = @_; &mov ("esi",&wparam(1)); &mov ("ecx",&wparam(2)); if ($::win32 or $::coff) { - &push (&::islabel("_win32_segv_handler")); + &push (&::islabel("_win32_segv_handler")); &data_byte(0x64,0xff,0x30); # push %fs:(%eax) &data_byte(0x64,0x89,0x20); # mov %esp,%fs:(%eax) } @@ -499,7 +499,7 @@ my ($mode,$opcode) = @_; &mov ("edi",&wparam(0)); &movups (&QWP(0,"edi"),"xmm0"); # copy-out context &mov (&DWP(16,"edi"),"eax"); - &pop ("esi"); + &pop ("esi"); &pop ("edi"); &ret (); &function_end_B("padlock_sha1_blocks"); @@ -512,7 +512,7 @@ my ($mode,$opcode) = @_; &mov ("esi",&wparam(1)); &mov ("ecx",&wparam(2)); if ($::win32 or $::coff) { - &push (&::islabel("_win32_segv_handler")); + &push (&::islabel("_win32_segv_handler")); &data_byte(0x64,0xff,0x30); # push %fs:(%eax) &data_byte(0x64,0x89,0x20); # mov %esp,%fs:(%eax) } diff --git a/deps/openssl/openssl/engines/asm/e_padlock-x86_64.pl b/deps/openssl/openssl/engines/asm/e_padlock-x86_64.pl index 834b1ea79c..da285abc61 100644 --- a/deps/openssl/openssl/engines/asm/e_padlock-x86_64.pl +++ b/deps/openssl/openssl/engines/asm/e_padlock-x86_64.pl @@ -535,7 +535,7 @@ $code.=<<___ if ($PADLOCK_PREFETCH{$mode}); sub $len,%rsp shr \$3,$len lea (%rsp),$out - .byte 0xf3,0x48,0xa5 # rep movsq + .byte 0xf3,0x48,0xa5 # rep movsq lea (%r8),$out lea (%rsp),$inp mov $chunk,$len diff --git a/deps/openssl/openssl/external/perl/Text-Template-1.46/INSTALL b/deps/openssl/openssl/external/perl/Text-Template-1.46/INSTALL index 466f8e5040..7c5e4c6bde 100644 --- a/deps/openssl/openssl/external/perl/Text-Template-1.46/INSTALL +++ b/deps/openssl/openssl/external/perl/Text-Template-1.46/INSTALL @@ -21,7 +21,7 @@ Detailed documentation is at the bottom of the lib/Text/Template.pm file. You may be able to view it with the following command: perldoc Text::Template - + Or: perldoc lib/Text/Template.pm diff --git a/deps/openssl/openssl/external/perl/Text-Template-1.46/README b/deps/openssl/openssl/external/perl/Text-Template-1.46/README index bdd3dd4a42..e184d8cd2f 100644 --- a/deps/openssl/openssl/external/perl/Text-Template-1.46/README +++ b/deps/openssl/openssl/external/perl/Text-Template-1.46/README @@ -5,7 +5,7 @@ This is a library for generating form letters, building HTML pages, or filling in templates generally. A `template' is a piece of text that has little Perl programs embedded in it here and there. When you `fill in' a template, you evaluate the little programs and replace -them with their values. +them with their values. Here's an example of a template: @@ -45,7 +45,7 @@ encourages functional separation. You can fill in the template in a `Safe' compartment. This means that if you don't trust the person who wrote the code in the template, you won't have to worry that they are tampering with your program when you -execute it. +execute it. ---------------------------------------------------------------- @@ -87,7 +87,7 @@ What's new in v1.46 since v1.44: parameter to ->new is omitted. ---------------------------------------------------------------- -What's new in v1.44 since v1.43: +What's new in v1.44 since v1.43: This is a maintentance release. There are no feature changes. @@ -182,7 +182,7 @@ What's new in v1.40 since v1.31: ---------------------------------------------------------------- What's new in v1.31 since v1.23: - Just bug fixes---fill_in_string was failing. Thanks to + Just bug fixes---fill_in_string was failing. Thanks to Donald L. Greer Jr. for the test case. ---------------------------------------------------------------- @@ -252,7 +252,7 @@ What's new in v1.10 since v1.03: New OUTPUT option delivers template results directly to a filehandle instead of making them into a string. Saves space - and time. + and time. PACKAGE and HASH now work intelligently with SAFE. @@ -263,16 +263,16 @@ What's new in v1.10 since v1.03: { my $blist = ''; foreach $i (@items) { $blist .= qq{ * $i\n}; - } + } $blist; - } + } You can now write this instead, because $OUT is special. { foreach $i (@items) { $OUT.= " * $i\n"; - } - } + } + } (`A spoonful of sugar makes the medicine go down.') @@ -281,7 +281,7 @@ What's new in v1.10 since v1.03: More documentation. Errors fixed. - Lots more tests. + Lots more tests. ---------------------------------------------------------------- @@ -289,22 +289,22 @@ What's new in v1.03 since v1.0: Code added to support HASH option to fill_in. (Incl. `_gensym' function.) - + Documentation for HASH. - + New test file for HASH. - + Note about failure of lexical variables to propagate into - templates. Why does this surprise people? - + templates. Why does this surprise people? + Bug fix: program fragments are evaluated in an environment with - `no strict' by default. Otherwise, you get a lot of `Global - symbol "$v" requires explicit package name' failures. Why didn't - the test program pick this up? Because the only variable the test - program ever used was `$a', which is exempt. Duhhhhh. - + `no strict' by default. Otherwise, you get a lot of `Global + symbol "$v" requires explicit package name' failures. Why didn't + the test program pick this up? Because the only variable the test + program ever used was `$a', which is exempt. Duhhhhh. + Fixed the test program. - + Various minor documentation fixes. @@ -315,24 +315,25 @@ Improvements of 1.0 over the old 0.1beta: New features: - At least twice as fast + At least twice as fast - Better support for filling out the same template more than once + Better support for filling out the same template more than once Now supports evaluation of program fragments in Safe - compartments. (Thanks, Jonathan!) + compartments. (Thanks, Jonathan!) - Better argument syntax + Better argument syntax - More convenience functions + More convenience functions - The parser is much better and simpler. + The parser is much better and simpler. Once a template is parsed, the parsed version is stored so that - it needn't be parsed again. + it needn't be parsed again. BROKEN function behavior is rationalized. You can now pass an arbitrary argument to your BROKEN function, or return a value - from it to the main program. + from it to the main program. + + Documentation overhauled. - Documentation overhauled. diff --git a/deps/openssl/openssl/external/perl/Text-Template-1.46/lib/Text/Template.pm b/deps/openssl/openssl/external/perl/Text-Template-1.46/lib/Text/Template.pm index 2b8a391b53..dc4f3bac77 100644 --- a/deps/openssl/openssl/external/perl/Text-Template-1.46/lib/Text/Template.pm +++ b/deps/openssl/openssl/external/perl/Text-Template-1.46/lib/Text/Template.pm @@ -5,7 +5,7 @@ # # Copyright 2013 M. J. Dominus. # You may copy and distribute this program under the -# same terms as Perl iteself. +# same terms as Perl iteself. # If in doubt, write to mjd-perl-template+@plover.com for a license. # # Version 1.46 @@ -44,7 +44,7 @@ sub always_prepend { my %LEGAL_TYPE; - BEGIN { + BEGIN { %LEGAL_TYPE = map {$_=>1} qw(FILE FILEHANDLE STRING ARRAY); } sub new { @@ -78,7 +78,7 @@ sub always_prepend bless $self => $pack; return unless $self->_acquire_data; - + $self; } } @@ -89,7 +89,7 @@ sub _acquire_data { my ($self) = @_; my $type = $self->{TYPE}; if ($type eq 'STRING') { - # nothing necessary + # nothing necessary } elsif ($type eq 'FILE') { my $data = _load_text($self->{SOURCE}); unless (defined $data) { @@ -115,7 +115,7 @@ sub _acquire_data { } $self->{SOURCE} = $data; } else { - # This should have been caught long ago, so it represents a + # This should have been caught long ago, so it represents a # drastic `can't-happen' sort of failure my $pack = ref $self; die "Can only acquire data for $pack objects of subtype STRING, but this is $type; aborting"; @@ -145,7 +145,7 @@ sub compile { return undef unless $self->_acquire_data; unless ($self->{TYPE} eq 'STRING') { my $pack = ref $self; - # This should have been caught long ago, so it represents a + # This should have been caught long ago, so it represents a # drastic `can't-happen' sort of failure die "Can only compile $pack objects of subtype STRING, but this is $self->{TYPE}; aborting"; } @@ -153,7 +153,7 @@ sub compile { my @tokens; my $delim_pats = shift() || $self->{DELIM}; - + my ($t_open, $t_close) = ('{', '}'); my $DELIM; # Regex matches a delimiter if $delim_pats @@ -215,7 +215,7 @@ sub compile { } else { die "Can't happen error #1"; } - + $self->{TYPE} = 'PREPARSED'; $self->{SOURCE} = \@content; 1; @@ -247,7 +247,7 @@ sub fill_in { my $fi_varhash = _param('hash', %fi_a); my $fi_package = _param('package', %fi_a) ; - my $fi_broken = + my $fi_broken = _param('broken', %fi_a) || $fi_self->{BROKEN} || \&_default_broken; my $fi_broken_arg = _param('broken_arg', %fi_a) || []; my $fi_safe = _param('safe', %fi_a); @@ -305,7 +305,7 @@ sub fill_in { } elsif ($fi_type eq 'PROG') { no strict; my $fi_lcomment = "#line $fi_lineno $fi_filename"; - my $fi_progtext = + my $fi_progtext = "package $fi_eval_package; $fi_prepend;\n$fi_lcomment\n$fi_text;"; my $fi_res; my $fi_eval_err = ''; @@ -445,7 +445,7 @@ sub _unconditionally_untaint { } } } - + # Given a hashful of variables (or a list of such hashes) # install the variables into the specified package, # overwriting whatever variables were there before. @@ -467,7 +467,7 @@ sub _install_hash { } elsif (ref $val) { *SYM = $val; } else { - *SYM = \$val; + *SYM = \$val; } } } @@ -478,7 +478,7 @@ sub TTerror { $ERROR } 1; -=head1 NAME +=head1 NAME Text::Template - Expand template text with embedded Perl @@ -539,7 +539,7 @@ This file documents C<Text::Template> version B<1.46> $text = fill_in_string( <<EOM, PACKAGE => 'T', ...); Dear {$recipient}, Pay me at once. - Love, + Love, G.V. EOM @@ -555,7 +555,7 @@ This is a library for generating form letters, building HTML pages, or filling in templates generally. A `template' is a piece of text that has little Perl programs embedded in it here and there. When you `fill in' a template, you evaluate the little programs and replace -them with their values. +them with their values. You can store a template in a file outside your program. People can modify the template without modifying the program. You can separate @@ -683,16 +683,16 @@ The fragments are evaluated in order, and side effects from earlier fragments will persist into later fragments: {$x = @things; ''}The Lord High Chamberlain has gotten {$x} - things for me this year. - { $diff = $x - 17; + things for me this year. + { $diff = $x - 17; $more = 'more' if ($diff == 0) { $diff = 'no'; } elsif ($diff < 0) { $more = 'fewer'; - } + } ''; - } + } That is {$diff} {$more} than he gave me last year. The value of C<$x> set in the first line will persist into the next @@ -701,11 +701,11 @@ C<$more> set in the second fragment will persist and be interpolated into the last line. The output will look something like this: The Lord High Chamberlain has gotten 42 - things for me this year. + things for me this year. That is 25 more than he gave me last year. -That is all the syntax there is. +That is all the syntax there is. =head2 The C<$OUT> variable @@ -726,9 +726,9 @@ One way to do it is with a template like this: { my $blist = ''; foreach $i (@items) { $blist .= qq{ * $i\n}; - } + } $blist; - } + } Here we construct the list in a variable called C<$blist>, which we return at the end. This is a little cumbersome. There is a shortcut. @@ -743,11 +743,11 @@ This means that you can write the template above like this: Here is a list of the things I have got for you since 1907: { foreach $i (@items) { $OUT .= " * $i\n"; - } - } + } + } C<$OUT> is reinitialized to the empty string at the start of each -program fragment. It is private to C<Text::Template>, so +program fragment. It is private to C<Text::Template>, so you can't use a variable named C<$OUT> in your template without invoking the special behavior. @@ -780,15 +780,15 @@ else that makes sense with C<open>. The C<TYPE> can also be C<STRING>, in which case the C<SOURCE> should be a string: - new Text::Template ( TYPE => 'STRING', + new Text::Template ( TYPE => 'STRING', SOURCE => "This is the actual template!" ); The C<TYPE> can be C<ARRAY>, in which case the source should be a reference to an array of strings. The concatenation of these strings is the template: - new Text::Template ( TYPE => 'ARRAY', - SOURCE => [ "This is ", "the actual", + new Text::Template ( TYPE => 'ARRAY', + SOURCE => [ "This is ", "the actual", " template!", ] ); @@ -800,7 +800,7 @@ C<Text::Template> will read the text from the filehandle up to end-of-file, and that text is the template: # Read template source code from STDIN: - new Text::Template ( TYPE => 'FILEHANDLE', + new Text::Template ( TYPE => 'FILEHANDLE', SOURCE => \*STDIN ); @@ -870,7 +870,7 @@ overridden in the arguments to C<fill_in>. See L<C<BROKEN>> below. Loads all the template text from the template's source, parses and compiles it. If successful, returns true; otherwise returns false and sets C<$Text::Template::ERROR>. If the template is already compiled, -it returns true and does nothing. +it returns true and does nothing. You don't usually need to invoke this function, because C<fill_in> (see below) compiles the template if it isn't compiled already. @@ -977,10 +977,10 @@ variables. You may not want to put the template variables into a package. Packages can be hard to manage: You can't copy them, for example. -C<HASH> provides an alternative. +C<HASH> provides an alternative. The value for C<HASH> should be a reference to a hash that maps -variable names to values. For example, +variable names to values. For example, $template->fill_in(HASH => { recipient => "The King", items => ['gold', 'frankincense', 'myrrh'], @@ -996,19 +996,19 @@ should be passed by reference. We also want to pass an object, which is in C<$self>; note that we pass a reference to the object, C<\$self> instead. Since we've passed a reference to a scalar, inside the template the object appears as -C<$object>. +C<$object>. The full details of how it works are a little involved, so you might want to skip to the next section. -Suppose the key in the hash is I<key> and the value is I<value>. +Suppose the key in the hash is I<key> and the value is I<value>. =over 4 =item * If the I<value> is C<undef>, then any variables named C<$key>, -C<@key>, C<%key>, etc., are undefined. +C<@key>, C<%key>, etc., are undefined. =item * @@ -1032,7 +1032,7 @@ and have almost exactly the same effect. (The difference is that in the former case, the value is copied, and in the latter case it is -aliased.) +aliased.) =item * @@ -1074,7 +1074,7 @@ You can also use this to set two variables with the same name: ] ); -This sets C<$v> to C<"The King"> and C<@v> to C<(1,2,3)>. +This sets C<$v> to C<"The King"> and C<@v> to C<(1,2,3)>. =item C<BROKEN> @@ -1082,13 +1082,13 @@ If any of the program fragments fails to compile or aborts for any reason, and you have set the C<BROKEN> option to a function reference, C<Text::Template> will invoke the function. This function is called the I<C<BROKEN> function>. The C<BROKEN> function will tell -C<Text::Template> what to do next. +C<Text::Template> what to do next. If the C<BROKEN> function returns C<undef>, C<Text::Template> will immediately abort processing the template and return the text that it has accumulated so far. If your function does this, it should set a flag that you can examine after C<fill_in> returns so that you can -tell whether there was a premature return or not. +tell whether there was a premature return or not. If the C<BROKEN> function returns any other value, that value will be interpolated into the template as if that value had been the return @@ -1150,7 +1150,7 @@ If you supply the C<BROKEN_ARG> option to C<fill_in>, the value of the option is passed to the C<BROKEN> function whenever it is called. The default C<BROKEN> function ignores the C<BROKEN_ARG>, but you can write a custom C<BROKEN> function that uses the C<BROKEN_ARG> to get -more information about what went wrong. +more information about what went wrong. The C<BROKEN> function could also use the C<BROKEN_ARG> as a reference to store an error message or some other information that it wants to @@ -1158,7 +1158,7 @@ communicate back to the caller. For example: $error = ''; - sub my_broken { + sub my_broken { my %args = @_; my $err_ref = $args{arg}; ... @@ -1191,7 +1191,7 @@ operations that can be performed in them. If you use the C<PACKAGE> option with C<SAFE>, the package you specify will be placed into the safe compartment and evaluation will take -place in that package as usual. +place in that package as usual. If not, C<SAFE> operation is a little different from the default. Usually, if you don't specify a package, evaluation of program @@ -1235,11 +1235,11 @@ If this option is present, its value should be a reference to a list of two strings. The first string is the string that signals the beginning of each program fragment, and the second string is the string that signals the end of each program fragment. See -L<"Alternative Delimiters">, below. +L<"Alternative Delimiters">, below. If you specify C<DELIMITERS> in the call to C<fill_in>, they override any delimiters you set when you created the template object with -C<new>. +C<new>. =back @@ -1266,7 +1266,7 @@ An example: $text = Text::Template->fill_this_in( <<'EOM', PACKAGE => Q); Dear {$name}, - You owe me \\${sprintf('%.2f', $amount)}. + You owe me \\${sprintf('%.2f', $amount)}. Pay or I will break your {$part}. Love, Grand Vizopteryx of Irkutsk. @@ -1371,7 +1371,7 @@ The text C<The King> doesn't get into the form letter. Why not? Because C<$recipient> is a C<my> variable, and the whole point of C<my> variables is that they're private and inaccessible except in the scope in which they're declared. The template is not part of that -scope, so the template can't see C<$recipient>. +scope, so the template can't see C<$recipient>. If that's not the behavior you want, don't use C<my>. C<my> means a private variable, and in this case you don't want the variable to be @@ -1380,7 +1380,7 @@ package, and use the C<PACKAGE> option to C<fill_in>: $Q::recipient = $recipient; my $text = fill_in_file('formletter.tmpl', PACKAGE => 'Q'); - + or pass the names and values in a hash with the C<HASH> option: @@ -1397,8 +1397,8 @@ rest of your program and wreck something. Nevertheless, there's really no way (except with C<Safe>) to protect against a template that says - { $Important::Secret::Security::Enable = 0; - # Disable security checks in this program + { $Important::Secret::Security::Enable = 0; + # Disable security checks in this program } or @@ -1462,12 +1462,12 @@ you may be able to make it work by doing this instead: --@] It may be safer to choose delimiters that begin with a newline -character. +character. Because the parsing of templates is simplified by the absence of backslash escapes, using alternative C<DELIMITERS> may speed up the parsing process by 20-25%. This shows that my original choice of C<{> -and C<}> was very bad. +and C<}> was very bad. =head2 C<PREPEND> feature and using C<strict> in templates @@ -1492,11 +1492,11 @@ each and every code fragment: Because we didn't put C<use strict> at the top of the second fragment, it was only active in the first fragment, and we didn't get any C<strict> checking in the second fragment. Then we mispelled C<$foo> -and the error wasn't caught. +and the error wasn't caught. C<Text::Template> version 1.22 and higher has a new feature to make this easier. You can specify that any text at all be automatically -added to the beginning of each program fragment. +added to the beginning of each program fragment. When you make a call to C<fill_in>, you can specify a @@ -1541,7 +1541,7 @@ except where overridden by C<PREPEND> options to C<new> or C<fill_in>. =head2 Prepending in Derived Classes This section is technical, and you should skip it on the first few -readings. +readings. Normally there are three places that prepended text could come from. It could come from the C<PREPEND> option in the C<fill_in> call, from @@ -1551,12 +1551,12 @@ C<Text::Template> looks for these three things in order and takes the first one that it finds. In a subclass of C<Text::Template>, this last possibility is -ambiguous. Suppose C<S> is a subclass of C<Text::Template>. Should +ambiguous. Suppose C<S> is a subclass of C<Text::Template>. Should Text::Template->always_prepend(...); affect objects in class C<Derived>? The answer is that you can have it -either way. +either way. The C<always_prepend> value for C<Text::Template> is normally stored in a hash variable named C<%GLOBAL_PREPEND> under the key @@ -1587,7 +1587,7 @@ method to get an arbitrary effect. Jennifer D. St Clair asks: > Most of my pages contain JavaScript and Stylesheets. - > How do I change the template identifier? + > How do I change the template identifier? Jennifer is worried about the braces in the JavaScript being taken as the delimiters of the Perl program fragments. Of course, disaster @@ -1600,13 +1600,13 @@ some reason, there are two easy workarounds: 1. You can put C<\> in front of C<{>, C<}>, or C<\> to remove its special meaning. So, for example, instead of - if (br== "n3") { + if (br== "n3") { // etc. } you can put - if (br== "n3") \{ + if (br== "n3") \{ // etc. \} @@ -1627,21 +1627,21 @@ So if we wrote {q{foo}} -it would turn into +it would turn into foo So for your JavaScript, just write - {q{if (br== "n3") { - // etc. + {q{if (br== "n3") { + // etc. }} } and it'll come out as - if (br== "n3") { - // etc. + if (br== "n3") { + // etc. } which is what you want. @@ -1657,7 +1657,7 @@ their templates, like this: } Then they complain because there is a C<17> at the top of the output -that they didn't want to have there. +that they didn't want to have there. Remember that a program fragment is replaced with its own return value, and that in Perl the return value of a code block is the value @@ -1723,14 +1723,14 @@ complicated to remember, but probably easier to use. The rule is now: Backslashes are always passed to Perl unchanged I<unless> they occur as part of a sequence like C<\\\\\\{> or C<\\\\\\}>. In these contexts, they are special; C<\\> is replaced with C<\>, and C<\{> and -C<\}> signal a literal brace. +C<\}> signal a literal brace. Examples: \{ foo \} is I<not> evaluated, because the C<\> before the braces signals that -they should be taken literally. The result in the output looks like this: +they should be taken literally. The result in the output looks like this: { foo } @@ -1797,7 +1797,7 @@ It's totally straightforward. Just call the C<CGI> functions from inside the template: { $q->checkbox_group(NAME => 'toppings', - LINEBREAK => true, + LINEBREAK => true, COLUMNS => 3, VALUES => \@toppings, ); @@ -1864,7 +1864,7 @@ of the mailing list. The mailing list address is a secret.) =head1 THANKS Many thanks to the following people for offering support, -encouragement, advice, bug reports, and all the other good stuff. +encouragement, advice, bug reports, and all the other good stuff. David H. Adler / Joel Appelbaum / @@ -1895,7 +1895,7 @@ Matt X. Hunter / Robert M. Ioffe / Daniel LaLiberte / Reuven M. Lerner / -Trip Lilley / +Trip Lilley / Yannis Livassof / Val Luck / Kevin Madsen / @@ -1941,12 +1941,12 @@ Special thanks to: =over 2 -=item Jonathan Roy +=item Jonathan Roy for telling me how to do the C<Safe> support (I spent two years worrying about it, and then Jonathan pointed out that it was trivial.) -=item Ranjit Bhatnagar +=item Ranjit Bhatnagar for demanding less verbose fragments like they have in ASP, for helping me figure out the Right Thing, and, especially, for talking me diff --git a/deps/openssl/openssl/external/perl/Text-Template-1.46/lib/Text/Template/Preprocess.pm b/deps/openssl/openssl/external/perl/Text-Template-1.46/lib/Text/Template/Preprocess.pm index c6e3298ee2..1e41037bd3 100644 --- a/deps/openssl/openssl/external/perl/Text-Template-1.46/lib/Text/Template/Preprocess.pm +++ b/deps/openssl/openssl/external/perl/Text-Template-1.46/lib/Text/Template/Preprocess.pm @@ -28,7 +28,7 @@ sub preprocessor { 1; -=head1 NAME +=head1 NAME Text::Template::Preprocess - Expand template text with embedded Perl @@ -82,8 +82,8 @@ this: Plain text here... { perl code } <script language=JavaScript> - if (br== "n3") { - // etc. + if (br== "n3") { + // etc. } </script> { more perl code } @@ -96,7 +96,7 @@ JavaScript program with executable Perl code. One strategy: s(<script(.*?)</script>)(q{$1})gsi; } -Then use C<PREPROCESSOR =E<gt> \"e_scripts>. This will transform +Then use C<PREPROCESSOR =E<gt> \"e_scripts>. This will transform @@ -141,3 +141,4 @@ For updates, visit C<http://www.plover.com/~mjd/perl/Template/>. =cut + diff --git a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/00-version.t b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/00-version.t index 4784ba008e..5f9560f898 100644 --- a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/00-version.t +++ b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/00-version.t @@ -8,3 +8,4 @@ if ($Text::Template::VERSION == 1.46) { } else { print "not ok 1\n"; } + diff --git a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/01-basic.t b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/01-basic.t index d983797786..be43390c67 100644 --- a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/01-basic.t +++ b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/01-basic.t @@ -33,12 +33,12 @@ if (defined($template)) { $n++; # (3) Fill in template from file -$X::v = "abc"; +$X::v = "abc"; $resultX = <<EOM; We will put value of \$v (which is "abc") here -> abc We will evaluate 1+1 here -> 2 EOM -$Y::v = "ABC"; +$Y::v = "ABC"; $resultY = <<EOM; We will put value of \$v (which is "abc") here -> ABC We will evaluate 1+1 here -> 2 @@ -74,7 +74,7 @@ $n++; # (6) test creation of template from filehandle if (open (TMPL, "< $TEMPFILE")) { - $template = new Text::Template ('type' => 'FILEHANDLE', + $template = new Text::Template ('type' => 'FILEHANDLE', 'source' => *TMPL); if (defined($template)) { print "ok $n\n"; @@ -109,9 +109,9 @@ if (open (TMPL, "< $TEMPFILE")) { # (9) test creation of template from array -$template = new Text::Template - ('type' => 'ARRAY', - 'source' => [ +$template = new Text::Template + ('type' => 'ARRAY', + 'source' => [ 'We will put value of $v (which is "abc") here -> {$v}', "\n", 'We will evaluate 1+1 here -> {1+1}', @@ -209,7 +209,7 @@ for ($i=0; $i<@tests; $i+=2) { # MJD 20010827 # (28) test creation of template from filehandle if (open (TMPL, "< $TEMPFILE")) { - $template = new Text::Template ('type' => 'FILEHANDLE', + $template = new Text::Template ('type' => 'FILEHANDLE', 'source' => \*TMPL); if (defined($template)) { print "ok $n\n"; diff --git a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/02-hash.t b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/02-hash.t index 050638c853..29ba51a40e 100644 --- a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/02-hash.t +++ b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/02-hash.t @@ -68,13 +68,13 @@ my $WARNINGS = 0; local $^W = 1; # Make sure this is on for this test $template8 = 'We will put value of $v (which is "good") here -> {defined $v ? "bad" : "good"}'; $result8 = 'We will put value of $v (which is "good") here -> good'; - my $template = + my $template = new Text::Template ('type' => 'STRING', 'source' => $template8); my $text = $template->fill_in(HASH => {'v' => undef}); # (8) Did we generate a warning? print +($WARNINGS == 0 ? '' : 'not '), "ok $n\n"; $n++; - + # (9) Was the output correct? print +($text eq $result8 ? '' : 'not '), "ok $n\n"; $n++; @@ -85,7 +85,7 @@ my $WARNINGS = 0; # (10) Did we generate a warning? print +($WARNINGS == 0 ? '' : 'not '), "ok $n\n"; $n++; - + # (11) Was the output correct? if ($] < 5.005) { print "ok $n # skipped -- not supported before 5.005\n"; @@ -98,7 +98,7 @@ my $WARNINGS = 0; # (12) Now we'll test the multiple-hash option (Added for 1.20.) $text = Text::Template::fill_in_string(q{$v: {$v}. @v: [{"@v"}].}, - HASH => [{'v' => 17}, + HASH => [{'v' => 17}, {'v' => ['a', 'b', 'c']}, {'v' => \23}, ]); @@ -108,3 +108,4 @@ $n++; exit; + diff --git a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/03-out.t b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/03-out.t index 8094392dca..0ba65a54dc 100644 --- a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/03-out.t +++ b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/03-out.t @@ -46,10 +46,11 @@ $textOUT = $templateOUT->fill_in() print +($text eq $textOUT ? '' : 'not '), "ok $n\n"; $n++; -# Missing: Test this feature in Safe compartments; +# Missing: Test this feature in Safe compartments; # it's a totally different code path. # Decision: Put that into safe.t, because that file should # be skipped when Safe.pm is unavailable. exit; + diff --git a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/04-safe.t b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/04-safe.t index 6d94820d2a..4c07121b44 100644 --- a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/04-safe.t +++ b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/04-safe.t @@ -141,13 +141,13 @@ print +($text1 eq $text2 ? '' : 'not '), "ok $n\n"; $n++; # (16) Try the BROKEN routine in safe compartments -sub my_broken { +sub my_broken { my %a = @_; $a{error} =~ s/ at.*//s; "OK! text:$a{text} error:$a{error} lineno:$a{lineno} arg:$a{arg}" ; } $templateB = new Text::Template (TYPE => 'STRING', SOURCE => '{die}') or die; -$text1 = $templateB->fill_in(BROKEN => \&my_broken, +$text1 = $templateB->fill_in(BROKEN => \&my_broken, BROKEN_ARG => 'barg', SAFE => new Safe, ); @@ -158,3 +158,4 @@ $n++; exit; + diff --git a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/05-safe2.t b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/05-safe2.t index 71f242592f..03534770f1 100644 --- a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/05-safe2.t +++ b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/05-safe2.t @@ -96,7 +96,10 @@ print +($Q::H eq 'good7' ? '' : 'not '), "ok $n\n"; $Q::H = $Q::H; $n++; -# (12) +# (12) print +($Q2::H eq 'good8' ? '' : 'not '), "ok $n\n"; $Q2::H = $Q2::H; $n++; + + + diff --git a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/06-ofh.t b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/06-ofh.t index 22d4a1c841..6865ad1945 100644 --- a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/06-ofh.t +++ b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/06-ofh.t @@ -36,3 +36,4 @@ print +($t eq "My process ID is $$" ? '' : 'not '), "ok $n\n"; $n++; exit; + diff --git a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/07-safe3.t b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/07-safe3.t index 8baaf7ad44..5f438f6148 100644 --- a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/07-safe3.t +++ b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/07-safe3.t @@ -88,3 +88,4 @@ $n++; } exit; + diff --git a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/08-exported.t b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/08-exported.t index 6014400840..ef9cfafdee 100644 --- a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/08-exported.t +++ b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/08-exported.t @@ -14,7 +14,7 @@ Aborting" print "1..6\n"; $n=1; -$Q::n = $Q::n = 119; +$Q::n = $Q::n = 119; # (1) Test fill_in_string $out = fill_in_string('The value of $n is {$n}.', PACKAGE => 'Q' ); @@ -26,7 +26,7 @@ $TEMPFILE = "tt$$"; open F, "> $TEMPFILE" or die "Couldn't open test file: $!; aborting"; print F 'The value of $n is {$n}.', "\n"; close F or die "Couldn't write test file: $!; aborting"; -$R::n = $R::n = 8128; +$R::n = $R::n = 8128; $out = fill_in_file($TEMPFILE, PACKAGE => 'R'); print +($out eq "The value of \$n is 8128.\n" ? '' : 'not '), "ok $n\n"; @@ -42,7 +42,7 @@ print +($out eq "With a message here? It is good!\n" ? '' : 'not '), "ok $n\n"; $n++; # (4) It probably occurs in fill_this_in also: -$out = +$out = Text::Template->fill_this_in("With a message here? [% \$var %]\n", DELIMITERS => ['[%', '%]'], HASH => { "var" => \"It is good!" }); @@ -50,7 +50,7 @@ print +($out eq "With a message here? It is good!\n" ? '' : 'not '), "ok $n\n"; $n++; # (5) This test failed in 1.25. It was supplied by Donald L. Greer Jr. -# Note that it's different from (1) in that there's no explicit +# Note that it's different from (1) in that there's no explicit # package=> argument. use vars qw($string $foo $r); $string='Hello {$foo}'; @@ -72,3 +72,4 @@ package main; END { $TEMPFILE && unlink $TEMPFILE } exit; + diff --git a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/09-error.t b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/09-error.t index c9d03f27f8..40f9fac6cb 100644 --- a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/09-error.t +++ b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/09-error.t @@ -49,14 +49,15 @@ if ($@ =~ /^\QIllegal value `WLUNCH' for TYPE parameter/) { $n++; # (4-5) File does not exist -my $o = Text::Template->new(TYPE => 'file', +my $o = Text::Template->new(TYPE => 'file', SOURCE => 'this file does not exist'); print $o ? "not ok $n\n" : "ok $n\n"; $n++; -print defined($Text::Template::ERROR) +print defined($Text::Template::ERROR) && $Text::Template::ERROR =~ /^Couldn't open file/ ? "ok $n\n" : "not ok $n\n"; $n++; exit; + diff --git a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/10-delimiters.t b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/10-delimiters.t index 4b32ce0411..f74d591cc7 100644 --- a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/10-delimiters.t +++ b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/10-delimiters.t @@ -19,7 +19,7 @@ $n = 1; $V = $V = 119; $template = q{The value of $V is <<$V>>.}; $result = q{The value of $V is 119.}; -$template1 = Text::Template->new(TYPE => STRING, +$template1 = Text::Template->new(TYPE => STRING, SOURCE => $template, DELIMITERS => ['<<', '>>'] ) @@ -37,7 +37,7 @@ $n++; # (3) Now we'll try using regex metacharacters # First with the delimiters specified at object creation time $template = q{The value of $V is [$V].}; -$template1 = Text::Template->new(TYPE => STRING, +$template1 = Text::Template->new(TYPE => STRING, SOURCE => $template, DELIMITERS => ['[', ']'] ) @@ -63,10 +63,10 @@ my @tests = ('{""}' => '', # (5) '{"}"}' => undef, '{"\\}"}' => undef, # One backslash '{"\\\\}"}' => undef, # Two backslashes - '{"\\\\\\}"}' => undef, # Three backslashes + '{"\\\\\\}"}' => undef, # Three backslashes '{"\\\\\\\\}"}' => undef, # Four backslashes (10) '{"\\\\\\\\\\}"}' => undef, # Five backslashes - + # Backslashes are always passed directly to Perl '{"x20"}' => 'x20', '{"\\x20"}' => ' ', # One backslash @@ -96,3 +96,4 @@ for ($i=0; $i<@tests; $i+=2) { exit; + diff --git a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/11-prepend.t b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/11-prepend.t index 833a5fa444..fe242e5898 100644 --- a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/11-prepend.t +++ b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/11-prepend.t @@ -22,11 +22,11 @@ my $tin = q{The value of $foo is: {$foo}}; Text::Template->always_prepend(q{$foo = "global"}); $tmpl1 = Text::Template->new(TYPE => 'STRING', - SOURCE => $tin, + SOURCE => $tin, ); $tmpl2 = Text::Template->new(TYPE => 'STRING', - SOURCE => $tin, + SOURCE => $tin, PREPEND => q{$foo = "template"}, ); @@ -46,11 +46,11 @@ print "ok $n\n"; $n++; Emptyclass1->always_prepend(q{$foo = 'Emptyclass global';}); $tmpl1 = Emptyclass1->new(TYPE => 'STRING', - SOURCE => $tin, + SOURCE => $tin, ); $tmpl2 = Emptyclass1->new(TYPE => 'STRING', - SOURCE => $tin, + SOURCE => $tin, PREPEND => q{$foo = "template"}, ); @@ -69,11 +69,11 @@ print "ok $n\n"; $n++; print "ok $n\n"; $n++; $tmpl1 = Emptyclass2->new(TYPE => 'STRING', - SOURCE => $tin, + SOURCE => $tin, ); $tmpl2 = Emptyclass2->new(TYPE => 'STRING', - SOURCE => $tin, + SOURCE => $tin, PREPEND => q{$foo = "template"}, ); @@ -90,3 +90,5 @@ print "ok $n\n"; $n++; print "ok $n\n"; $n++; ($t3 eq 'The value of $foo is: fillin') or print "not "; print "ok $n\n"; $n++; + + diff --git a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/12-preprocess.t b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/12-preprocess.t index 422b10ec9a..60b6b0c65b 100644 --- a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/12-preprocess.t +++ b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/12-preprocess.t @@ -32,16 +32,16 @@ for my $trial (1, 0) { for my $test (0 .. 3) { my $tmpl; if ($trial == 0) { - $tmpl = new Text::Template::Preprocess + $tmpl = new Text::Template::Preprocess (TYPE => 'STRING', SOURCE => $t) or die; } else { open TF, "< $TMPFILE" or die "Couldn't open test file: $!; aborting"; - $tmpl = new Text::Template::Preprocess + $tmpl = new Text::Template::Preprocess (TYPE => 'FILEHANDLE', SOURCE => \*TF) or die; } $tmpl->preprocessor($py) if ($test & 1) == 1; my @args = ((($test & 2) == 2) ? (PREPROCESSOR => $pz) : ()); - my $o = $tmpl->fill_in(@args, + my $o = $tmpl->fill_in(@args, HASH => {x => 119, 'y' => 23, z => 5}); # print STDERR "$o/$result[$test]\n"; print +(($o eq $result[$test]) ? '' : 'not '), "ok $n\n"; diff --git a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/13-taint.t b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/13-taint.t index 30664993ac..d92a37463a 100644 --- a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/13-taint.t +++ b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/13-taint.t @@ -58,14 +58,14 @@ sub should_be_tainted { if (Text::Template::_is_clean($_[0])) { print "not ok $n\n"; $n++; return; } - print "ok $n\n"; $n++; return; + print "ok $n\n"; $n++; return; } sub should_be_clean { unless (Text::Template::_is_clean($_[0])) { print "not ok $n\n"; $n++; return; } - print "ok $n\n"; $n++; return; + print "ok $n\n"; $n++; return; } # Tainted filename should die with and without UNTAINT option @@ -116,3 +116,4 @@ Text::Template::_unconditionally_untaint($tfile); should_be_clean($tfile); END { unlink $file } + diff --git a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/14-broken.t b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/14-broken.t index db88a0711f..d362395cfb 100644 --- a/deps/openssl/openssl/external/perl/Text-Template-1.46/t/14-broken.t +++ b/deps/openssl/openssl/external/perl/Text-Template-1.46/t/14-broken.t @@ -68,7 +68,7 @@ Aborting" # (5) BROKEN sub passed correct args when called in ->fill_in? { my $r = Text::Template->new(TYPE => 'string', SOURCE => '{1/0}', - )->fill_in(BROKEN => + )->fill_in(BROKEN => sub { my %a = @_; qq{$a{lineno},$a{error},$a{text}} }); @@ -79,3 +79,4 @@ Aborting" } $n++; } + diff --git a/deps/openssl/openssl/external/perl/transfer/Text/Template.pm b/deps/openssl/openssl/external/perl/transfer/Text/Template.pm index 7dbfe3f84f..b21f875312 100644 --- a/deps/openssl/openssl/external/perl/transfer/Text/Template.pm +++ b/deps/openssl/openssl/external/perl/transfer/Text/Template.pm @@ -1,4 +1,4 @@ -# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -7,6 +7,9 @@ # Quick transfer to the downloaded Text::Template +package transfer::Text::Template; +$VERSION = 1.46; + BEGIN { use File::Spec::Functions; use File::Basename; diff --git a/deps/openssl/openssl/fuzz/test-corpus.c b/deps/openssl/openssl/fuzz/test-corpus.c index c553697d6c..628e633536 100644 --- a/deps/openssl/openssl/fuzz/test-corpus.c +++ b/deps/openssl/openssl/fuzz/test-corpus.c @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL licenses, (the "License"); * you may not use this file except in compliance with the License. @@ -16,31 +16,86 @@ #include <stdio.h> #include <stdlib.h> +#include <string.h> #include <sys/stat.h> #include <openssl/crypto.h> #include "fuzzer.h" +#include "internal/o_dir.h" -int main(int argc, char **argv) { - int n; +#if defined(_WIN32) && defined(_MAX_PATH) +# define PATH_MAX _MAX_PATH +#endif - FuzzerInitialize(&argc, &argv); +#ifndef PATH_MAX +# define PATH_MAX 4096 +#endif - for (n = 1; n < argc; ++n) { - struct stat st; - FILE *f; - unsigned char *buf; - size_t s; - - stat(argv[n], &st); - f = fopen(argv[n], "rb"); - if (f == NULL) - continue; - buf = malloc(st.st_size); +# if !defined(S_ISREG) +# define S_ISREG(m) ((m) & S_IFREG) +# endif + +static void testfile(const char *pathname) +{ + struct stat st; + FILE *f; + unsigned char *buf; + size_t s; + + if (stat(pathname, &st) < 0 || !S_ISREG(st.st_mode)) + return; + printf("# %s\n", pathname); + fflush(stdout); + f = fopen(pathname, "rb"); + if (f == NULL) + return; + buf = malloc(st.st_size); + if (buf != NULL) { s = fread(buf, 1, st.st_size, f); OPENSSL_assert(s == (size_t)st.st_size); FuzzerTestOneInput(buf, s); free(buf); - fclose(f); + } + fclose(f); +} + +int main(int argc, char **argv) { + int n; + + FuzzerInitialize(&argc, &argv); + + for (n = 1; n < argc; ++n) { + size_t dirname_len = strlen(argv[n]); + const char *filename = NULL; + char *pathname = NULL; + OPENSSL_DIR_CTX *ctx = NULL; + int wasdir = 0; + + /* + * We start with trying to read the given path as a directory. + */ + while ((filename = OPENSSL_DIR_read(&ctx, argv[n])) != NULL) { + wasdir = 1; + if (pathname == NULL) { + pathname = malloc(PATH_MAX); + if (pathname == NULL) + break; + strcpy(pathname, argv[n]); +#ifdef __VMS + if (strchr(":<]", pathname[dirname_len - 1]) == NULL) +#endif + pathname[dirname_len++] = '/'; + pathname[dirname_len] = '\0'; + } + strcpy(pathname + dirname_len, filename); + testfile(pathname); + } + OPENSSL_DIR_end(&ctx); + + /* If it wasn't a directory, treat it as a file instead */ + if (!wasdir) + testfile(argv[n]); + + free(pathname); } return 0; } diff --git a/deps/openssl/openssl/include/internal/__DECC_INCLUDE_EPILOGUE.H b/deps/openssl/openssl/include/internal/__DECC_INCLUDE_EPILOGUE.H new file mode 100644 index 0000000000..5f63860808 --- /dev/null +++ b/deps/openssl/openssl/include/internal/__DECC_INCLUDE_EPILOGUE.H @@ -0,0 +1,16 @@ +/* + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * This file is only used by HP C on VMS, and is included automatically + * after each header file from this directory + */ + +/* restore state. Must correspond to the save in __decc_include_prologue.h */ +#pragma names restore diff --git a/deps/openssl/openssl/include/internal/__DECC_INCLUDE_PROLOGUE.H b/deps/openssl/openssl/include/internal/__DECC_INCLUDE_PROLOGUE.H new file mode 100644 index 0000000000..78b2a87d88 --- /dev/null +++ b/deps/openssl/openssl/include/internal/__DECC_INCLUDE_PROLOGUE.H @@ -0,0 +1,20 @@ +/* + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * This file is only used by HP C on VMS, and is included automatically + * after each header file from this directory + */ + +/* save state */ +#pragma names save +/* have the compiler shorten symbols larger than 31 chars to 23 chars + * followed by a 8 hex char CRC + */ +#pragma names as_is,shortened diff --git a/deps/openssl/openssl/include/internal/numbers.h b/deps/openssl/openssl/include/internal/numbers.h index cf2c30eebb..31931df3c2 100644 --- a/deps/openssl/openssl/include/internal/numbers.h +++ b/deps/openssl/openssl/include/internal/numbers.h @@ -65,3 +65,4 @@ # endif #endif + diff --git a/deps/openssl/openssl/include/internal/sslconf.h b/deps/openssl/openssl/include/internal/sslconf.h new file mode 100644 index 0000000000..d538f8614f --- /dev/null +++ b/deps/openssl/openssl/include/internal/sslconf.h @@ -0,0 +1,20 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef HEADER_SSLCONF_H +# define HEADER_SSLCONF_H + +typedef struct ssl_conf_cmd_st SSL_CONF_CMD; + +const SSL_CONF_CMD *conf_ssl_get(size_t idx, const char **name, size_t *cnt); +int conf_ssl_name_find(const char *name, size_t *idx); +void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr, + char **arg); + +#endif diff --git a/deps/openssl/openssl/include/openssl/asn1.h b/deps/openssl/openssl/include/openssl/asn1.h index 05ae1dbe1c..d0b1099a4f 100644 --- a/deps/openssl/openssl/include/openssl/asn1.h +++ b/deps/openssl/openssl/include/openssl/asn1.h @@ -953,8 +953,10 @@ int ERR_load_ASN1_strings(void); # define ASN1_F_D2I_AUTOPRIVATEKEY 207 # define ASN1_F_D2I_PRIVATEKEY 154 # define ASN1_F_D2I_PUBLICKEY 155 +# define ASN1_F_DO_BUF 142 # define ASN1_F_DO_TCREATE 222 # define ASN1_F_I2D_ASN1_BIO_STREAM 211 +# define ASN1_F_I2D_ASN1_OBJECT 143 # define ASN1_F_I2D_DSA_PUBKEY 161 # define ASN1_F_I2D_EC_PUBKEY 181 # define ASN1_F_I2D_PRIVATEKEY 163 diff --git a/deps/openssl/openssl/include/openssl/bio.h b/deps/openssl/openssl/include/openssl/bio.h index f435bd8ef6..3a72862561 100644 --- a/deps/openssl/openssl/include/openssl/bio.h +++ b/deps/openssl/openssl/include/openssl/bio.h @@ -730,26 +730,26 @@ __bio_h__attr__((__format__(__printf__, 3, 0))); BIO_METHOD *BIO_meth_new(int type, const char *name); void BIO_meth_free(BIO_METHOD *biom); -int (*BIO_meth_get_write(BIO_METHOD *biom)) (BIO *, const char *, int); +int (*BIO_meth_get_write(const BIO_METHOD *biom)) (BIO *, const char *, int); int BIO_meth_set_write(BIO_METHOD *biom, int (*write) (BIO *, const char *, int)); -int (*BIO_meth_get_read(BIO_METHOD *biom)) (BIO *, char *, int); +int (*BIO_meth_get_read(const BIO_METHOD *biom)) (BIO *, char *, int); int BIO_meth_set_read(BIO_METHOD *biom, int (*read) (BIO *, char *, int)); -int (*BIO_meth_get_puts(BIO_METHOD *biom)) (BIO *, const char *); +int (*BIO_meth_get_puts(const BIO_METHOD *biom)) (BIO *, const char *); int BIO_meth_set_puts(BIO_METHOD *biom, int (*puts) (BIO *, const char *)); -int (*BIO_meth_get_gets(BIO_METHOD *biom)) (BIO *, char *, int); +int (*BIO_meth_get_gets(const BIO_METHOD *biom)) (BIO *, char *, int); int BIO_meth_set_gets(BIO_METHOD *biom, int (*gets) (BIO *, char *, int)); -long (*BIO_meth_get_ctrl(BIO_METHOD *biom)) (BIO *, int, long, void *); +long (*BIO_meth_get_ctrl(const BIO_METHOD *biom)) (BIO *, int, long, void *); int BIO_meth_set_ctrl(BIO_METHOD *biom, long (*ctrl) (BIO *, int, long, void *)); -int (*BIO_meth_get_create(BIO_METHOD *bion)) (BIO *); +int (*BIO_meth_get_create(const BIO_METHOD *bion)) (BIO *); int BIO_meth_set_create(BIO_METHOD *biom, int (*create) (BIO *)); -int (*BIO_meth_get_destroy(BIO_METHOD *biom)) (BIO *); +int (*BIO_meth_get_destroy(const BIO_METHOD *biom)) (BIO *); int BIO_meth_set_destroy(BIO_METHOD *biom, int (*destroy) (BIO *)); -long (*BIO_meth_get_callback_ctrl(BIO_METHOD *biom)) +long (*BIO_meth_get_callback_ctrl(const BIO_METHOD *biom)) (BIO *, int, BIO_info_cb *); int BIO_meth_set_callback_ctrl(BIO_METHOD *biom, long (*callback_ctrl) (BIO *, int, diff --git a/deps/openssl/openssl/include/openssl/bn.h b/deps/openssl/openssl/include/openssl/bn.h index 54ae760152..301edd5250 100644 --- a/deps/openssl/openssl/include/openssl/bn.h +++ b/deps/openssl/openssl/include/openssl/bn.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -119,25 +119,76 @@ void *BN_GENCB_get_arg(BN_GENCB *cb); * on the size of the number */ /* - * number of Miller-Rabin iterations for an error rate of less than 2^-80 for - * random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook of - * Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996]; - * original paper: Damgaard, Landrock, Pomerance: Average case error - * estimates for the strong probable prime test. -- Math. Comp. 61 (1993) - * 177-194) + * BN_prime_checks_for_size() returns the number of Miller-Rabin iterations + * that will be done for checking that a random number is probably prime. The + * error rate for accepting a composite number as prime depends on the size of + * the prime |b|. The error rates used are for calculating an RSA key with 2 primes, + * and so the level is what you would expect for a key of double the size of the + * prime. + * + * This table is generated using the algorithm of FIPS PUB 186-4 + * Digital Signature Standard (DSS), section F.1, page 117. + * (https://dx.doi.org/10.6028/NIST.FIPS.186-4) + * + * The following magma script was used to generate the output: + * securitybits:=125; + * k:=1024; + * for t:=1 to 65 do + * for M:=3 to Floor(2*Sqrt(k-1)-1) do + * S:=0; + * // Sum over m + * for m:=3 to M do + * s:=0; + * // Sum over j + * for j:=2 to m do + * s+:=(RealField(32)!2)^-(j+(k-1)/j); + * end for; + * S+:=2^(m-(m-1)*t)*s; + * end for; + * A:=2^(k-2-M*t); + * B:=8*(Pi(RealField(32))^2-6)/3*2^(k-2)*S; + * pkt:=2.00743*Log(2)*k*2^-k*(A+B); + * seclevel:=Floor(-Log(2,pkt)); + * if seclevel ge securitybits then + * printf "k: %5o, security: %o bits (t: %o, M: %o)\n",k,seclevel,t,M; + * break; + * end if; + * end for; + * if seclevel ge securitybits then break; end if; + * end for; + * + * It can be run online at: + * http://magma.maths.usyd.edu.au/calc + * + * And will output: + * k: 1024, security: 129 bits (t: 6, M: 23) + * + * k is the number of bits of the prime, securitybits is the level we want to + * reach. + * + * prime length | RSA key size | # MR tests | security level + * -------------+--------------|------------+--------------- + * (b) >= 6394 | >= 12788 | 3 | 256 bit + * (b) >= 3747 | >= 7494 | 3 | 192 bit + * (b) >= 1345 | >= 2690 | 4 | 128 bit + * (b) >= 1080 | >= 2160 | 5 | 128 bit + * (b) >= 852 | >= 1704 | 5 | 112 bit + * (b) >= 476 | >= 952 | 5 | 80 bit + * (b) >= 400 | >= 800 | 6 | 80 bit + * (b) >= 347 | >= 694 | 7 | 80 bit + * (b) >= 308 | >= 616 | 8 | 80 bit + * (b) >= 55 | >= 110 | 27 | 64 bit + * (b) >= 6 | >= 12 | 34 | 64 bit */ -# define BN_prime_checks_for_size(b) ((b) >= 1300 ? 2 : \ - (b) >= 850 ? 3 : \ - (b) >= 650 ? 4 : \ - (b) >= 550 ? 5 : \ - (b) >= 450 ? 6 : \ - (b) >= 400 ? 7 : \ - (b) >= 350 ? 8 : \ - (b) >= 300 ? 9 : \ - (b) >= 250 ? 12 : \ - (b) >= 200 ? 15 : \ - (b) >= 150 ? 18 : \ - /* b >= 100 */ 27) + +# define BN_prime_checks_for_size(b) ((b) >= 3747 ? 3 : \ + (b) >= 1345 ? 4 : \ + (b) >= 476 ? 5 : \ + (b) >= 400 ? 6 : \ + (b) >= 347 ? 7 : \ + (b) >= 308 ? 8 : \ + (b) >= 55 ? 27 : \ + /* b >= 6 */ 34) # define BN_num_bytes(a) ((BN_num_bits(a)+7)/8) diff --git a/deps/openssl/openssl/include/openssl/conf.h b/deps/openssl/openssl/include/openssl/conf.h index 980a51b157..e0539e3128 100644 --- a/deps/openssl/openssl/include/openssl/conf.h +++ b/deps/openssl/openssl/include/openssl/conf.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -191,6 +191,7 @@ int ERR_load_CONF_strings(void); # define CONF_F_NCONF_LOAD_BIO 110 # define CONF_F_NCONF_LOAD_FP 114 # define CONF_F_NCONF_NEW 111 +# define CONF_F_SSL_MODULE_INIT 123 # define CONF_F_STR_COPY 101 /* Reason codes. */ @@ -206,6 +207,10 @@ int ERR_load_CONF_strings(void); # define CONF_R_NO_SECTION 107 # define CONF_R_NO_SUCH_FILE 114 # define CONF_R_NO_VALUE 108 +# define CONF_R_SSL_COMMAND_SECTION_EMPTY 117 +# define CONF_R_SSL_COMMAND_SECTION_NOT_FOUND 118 +# define CONF_R_SSL_SECTION_EMPTY 119 +# define CONF_R_SSL_SECTION_NOT_FOUND 120 # define CONF_R_UNABLE_TO_CREATE_NEW_SECTION 103 # define CONF_R_UNKNOWN_MODULE_NAME 113 # define CONF_R_VARIABLE_EXPANSION_TOO_LONG 116 diff --git a/deps/openssl/openssl/include/openssl/crypto.h b/deps/openssl/openssl/include/openssl/crypto.h index 1ba7f25f01..fa3f12af3b 100644 --- a/deps/openssl/openssl/include/openssl/crypto.h +++ b/deps/openssl/openssl/include/openssl/crypto.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -371,7 +371,9 @@ int CRYPTO_memcmp(const volatile void * volatile in_a, # define OPENSSL_INIT_ENGINE_CAPI 0x00002000L # define OPENSSL_INIT_ENGINE_PADLOCK 0x00004000L # define OPENSSL_INIT_ENGINE_AFALG 0x00008000L -/* OPENSSL_INIT flag 0x00010000 reserved for internal use */ +/* OPENSSL_INIT_ZLIB 0x00010000L */ +/* currently unused 0x00020000L */ +/* OPENSSL_INIT_BASE_ONLY 0x00040000L */ /* OPENSSL_INIT flag range 0xfff00000 reserved for OPENSSL_init_ssl() */ /* Max OPENSSL_INIT flag value is 0x80000000 */ diff --git a/deps/openssl/openssl/include/openssl/dh.h b/deps/openssl/openssl/include/openssl/dh.h index fbd479039e..8cf879e14f 100644 --- a/deps/openssl/openssl/include/openssl/dh.h +++ b/deps/openssl/openssl/include/openssl/dh.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -187,7 +187,7 @@ void DH_meth_free(DH_METHOD *dhm); DH_METHOD *DH_meth_dup(const DH_METHOD *dhm); const char *DH_meth_get0_name(const DH_METHOD *dhm); int DH_meth_set1_name(DH_METHOD *dhm, const char *name); -int DH_meth_get_flags(DH_METHOD *dhm); +int DH_meth_get_flags(const DH_METHOD *dhm); int DH_meth_set_flags(DH_METHOD *dhm, int flags); void *DH_meth_get0_app_data(const DH_METHOD *dhm); int DH_meth_set0_app_data(DH_METHOD *dhm, void *app_data); diff --git a/deps/openssl/openssl/include/openssl/dsa.h b/deps/openssl/openssl/include/openssl/dsa.h index 139718edb9..3a7b1a626e 100644 --- a/deps/openssl/openssl/include/openssl/dsa.h +++ b/deps/openssl/openssl/include/openssl/dsa.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -146,10 +146,12 @@ int DSAparams_print_fp(FILE *fp, const DSA *x); int DSA_print_fp(FILE *bp, const DSA *x, int off); # endif -# define DSS_prime_checks 50 +# define DSS_prime_checks 64 /* - * Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of - * Rabin-Miller + * Primality test according to FIPS PUB 186-4, Appendix C.3. Since we only + * have one value here we set the number of checks to 64 which is the 128 bit + * security level that is the highest level and valid for creating a 3072 bit + * DSA key. */ # define DSA_is_prime(n, callback, cb_arg) \ BN_is_prime(n, DSS_prime_checks, callback, NULL, cb_arg) @@ -186,7 +188,7 @@ void DSA_meth_free(DSA_METHOD *dsam); DSA_METHOD *DSA_meth_dup(const DSA_METHOD *dsam); const char *DSA_meth_get0_name(const DSA_METHOD *dsam); int DSA_meth_set1_name(DSA_METHOD *dsam, const char *name); -int DSA_meth_get_flags(DSA_METHOD *dsam); +int DSA_meth_get_flags(const DSA_METHOD *dsam); int DSA_meth_set_flags(DSA_METHOD *dsam, int flags); void *DSA_meth_get0_app_data(const DSA_METHOD *dsam); int DSA_meth_set0_app_data(DSA_METHOD *dsam, void *app_data); @@ -260,6 +262,7 @@ int ERR_load_DSA_strings(void); # define DSA_F_DSA_SIG_NEW 102 # define DSA_F_OLD_DSA_PRIV_DECODE 122 # define DSA_F_PKEY_DSA_CTRL 120 +# define DSA_F_PKEY_DSA_CTRL_STR 104 # define DSA_F_PKEY_DSA_KEYGEN 121 /* Reason codes. */ diff --git a/deps/openssl/openssl/include/openssl/evp.h b/deps/openssl/openssl/include/openssl/evp.h index 43c97a7560..36e2934485 100644 --- a/deps/openssl/openssl/include/openssl/evp.h +++ b/deps/openssl/openssl/include/openssl/evp.h @@ -1351,34 +1351,34 @@ void EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth, const char *type, const char *value)); -void EVP_PKEY_meth_get_init(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_init(const EVP_PKEY_METHOD *pmeth, int (**pinit) (EVP_PKEY_CTX *ctx)); -void EVP_PKEY_meth_get_copy(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_copy(const EVP_PKEY_METHOD *pmeth, int (**pcopy) (EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)); -void EVP_PKEY_meth_get_cleanup(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_cleanup(const EVP_PKEY_METHOD *pmeth, void (**pcleanup) (EVP_PKEY_CTX *ctx)); -void EVP_PKEY_meth_get_paramgen(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_paramgen(const EVP_PKEY_METHOD *pmeth, int (**pparamgen_init) (EVP_PKEY_CTX *ctx), int (**pparamgen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)); -void EVP_PKEY_meth_get_keygen(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_keygen(const EVP_PKEY_METHOD *pmeth, int (**pkeygen_init) (EVP_PKEY_CTX *ctx), int (**pkeygen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)); -void EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_sign(const EVP_PKEY_METHOD *pmeth, int (**psign_init) (EVP_PKEY_CTX *ctx), int (**psign) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, const unsigned char *tbs, size_t tbslen)); -void EVP_PKEY_meth_get_verify(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_verify(const EVP_PKEY_METHOD *pmeth, int (**pverify_init) (EVP_PKEY_CTX *ctx), int (**pverify) (EVP_PKEY_CTX *ctx, const unsigned char *sig, @@ -1386,7 +1386,7 @@ void EVP_PKEY_meth_get_verify(EVP_PKEY_METHOD *pmeth, const unsigned char *tbs, size_t tbslen)); -void EVP_PKEY_meth_get_verify_recover(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_verify_recover(const EVP_PKEY_METHOD *pmeth, int (**pverify_recover_init) (EVP_PKEY_CTX *ctx), int (**pverify_recover) (EVP_PKEY_CTX @@ -1398,7 +1398,7 @@ void EVP_PKEY_meth_get_verify_recover(EVP_PKEY_METHOD *pmeth, char *tbs, size_t tbslen)); -void EVP_PKEY_meth_get_signctx(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_signctx(const EVP_PKEY_METHOD *pmeth, int (**psignctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx), int (**psignctx) (EVP_PKEY_CTX *ctx, @@ -1406,7 +1406,7 @@ void EVP_PKEY_meth_get_signctx(EVP_PKEY_METHOD *pmeth, size_t *siglen, EVP_MD_CTX *mctx)); -void EVP_PKEY_meth_get_verifyctx(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_verifyctx(const EVP_PKEY_METHOD *pmeth, int (**pverifyctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx), int (**pverifyctx) (EVP_PKEY_CTX *ctx, @@ -1414,7 +1414,7 @@ void EVP_PKEY_meth_get_verifyctx(EVP_PKEY_METHOD *pmeth, int siglen, EVP_MD_CTX *mctx)); -void EVP_PKEY_meth_get_encrypt(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_encrypt(const EVP_PKEY_METHOD *pmeth, int (**pencrypt_init) (EVP_PKEY_CTX *ctx), int (**pencryptfn) (EVP_PKEY_CTX *ctx, unsigned char *out, @@ -1422,7 +1422,7 @@ void EVP_PKEY_meth_get_encrypt(EVP_PKEY_METHOD *pmeth, const unsigned char *in, size_t inlen)); -void EVP_PKEY_meth_get_decrypt(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_decrypt(const EVP_PKEY_METHOD *pmeth, int (**pdecrypt_init) (EVP_PKEY_CTX *ctx), int (**pdecrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, @@ -1430,13 +1430,13 @@ void EVP_PKEY_meth_get_decrypt(EVP_PKEY_METHOD *pmeth, const unsigned char *in, size_t inlen)); -void EVP_PKEY_meth_get_derive(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_derive(const EVP_PKEY_METHOD *pmeth, int (**pderive_init) (EVP_PKEY_CTX *ctx), int (**pderive) (EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)); -void EVP_PKEY_meth_get_ctrl(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_ctrl(const EVP_PKEY_METHOD *pmeth, int (**pctrl) (EVP_PKEY_CTX *ctx, int type, int p1, void *p2), int (**pctrl_str) (EVP_PKEY_CTX *ctx, @@ -1506,6 +1506,8 @@ int ERR_load_EVP_strings(void); # define EVP_F_EVP_PKEY_GET0_RSA 121 # define EVP_F_EVP_PKEY_KEYGEN 146 # define EVP_F_EVP_PKEY_KEYGEN_INIT 147 +# define EVP_F_EVP_PKEY_METH_ADD0 172 +# define EVP_F_EVP_PKEY_METH_NEW 173 # define EVP_F_EVP_PKEY_NEW 106 # define EVP_F_EVP_PKEY_PARAMGEN 148 # define EVP_F_EVP_PKEY_PARAMGEN_INIT 149 @@ -1570,6 +1572,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150 # define EVP_R_OPERATON_NOT_INITIALIZED 151 # define EVP_R_PARTIALLY_OVERLAPPING 162 +# define EVP_R_PBKDF2_ERROR 176 # define EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED 175 # define EVP_R_PKEY_ASN1_METHOD_ALREADY_REGISTERED 164 # define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 diff --git a/deps/openssl/openssl/include/openssl/lhash.h b/deps/openssl/openssl/include/openssl/lhash.h index 82d40c1e0e..8ecc588484 100644 --- a/deps/openssl/openssl/include/openssl/lhash.h +++ b/deps/openssl/openssl/include/openssl/lhash.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -95,7 +95,7 @@ void OPENSSL_LH_node_usage_stats_bio(const OPENSSL_LHASH *lh, BIO *out); # define _LHASH OPENSSL_LHASH # define LHASH_NODE OPENSSL_LH_NODE # define lh_error OPENSSL_LH_error -# define lh_new OPENSSL_lh_new +# define lh_new OPENSSL_LH_new # define lh_free OPENSSL_LH_free # define lh_insert OPENSSL_LH_insert # define lh_delete OPENSSL_LH_delete diff --git a/deps/openssl/openssl/include/openssl/opensslconf.h b/deps/openssl/openssl/include/openssl/opensslconf.h deleted file mode 100644 index 76c99d433a..0000000000 --- a/deps/openssl/openssl/include/openssl/opensslconf.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../config/opensslconf.h" diff --git a/deps/openssl/openssl/include/openssl/opensslconf.h.in b/deps/openssl/openssl/include/openssl/opensslconf.h.in index 9f8634a3a2..17807fb6bd 100644 --- a/deps/openssl/openssl/include/openssl/opensslconf.h.in +++ b/deps/openssl/openssl/include/openssl/opensslconf.h.in @@ -68,12 +68,18 @@ extern "C" { * still won't see them if the library has been built to disable deprecated * functions. */ -#if defined(OPENSSL_NO_DEPRECATED) -# define DECLARE_DEPRECATED(f) -#elif __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0) -# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated)); -#else -# define DECLARE_DEPRECATED(f) f; +#ifndef DECLARE_DEPRECATED +# if defined(OPENSSL_NO_DEPRECATED) +# define DECLARE_DEPRECATED(f) +# else +# define DECLARE_DEPRECATED(f) f; +# ifdef __GNUC__ +# if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0) +# undef DECLARE_DEPRECATED +# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated)); +# endif +# endif +# endif #endif #ifndef OPENSSL_FILE diff --git a/deps/openssl/openssl/include/openssl/opensslv.h b/deps/openssl/openssl/include/openssl/opensslv.h index 4fb437f2ee..c5ef2a7535 100644 --- a/deps/openssl/openssl/include/openssl/opensslv.h +++ b/deps/openssl/openssl/include/openssl/opensslv.h @@ -39,18 +39,13 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x1010008fL +# define OPENSSL_VERSION_NUMBER 0x1010009fL # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0h-fips 27 Mar 2018" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0i-fips 14 Aug 2018" # else -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0h 27 Mar 2018" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0i 14 Aug 2018" # endif -#define OPENSSL_MAKE_VERSION(maj,min,fix,patch) ((0x10000000L)+((maj&0xff)<<20)+((min&0xff)<<12)+((fix&0xff)<<4)+patch) - -/* use this for #if tests, should never depend upon fix/patch */ -#define OPENSSL_VERSION_AT_LEAST(maj,min) (OPENSSL_MAKE_VERSION(maj,min, 0, 0) >= OPENSSL_VERSION_NUMBER) - /*- * The macros below are to be used for shared library (.so, .dll, ...) * versioning. That kind of versioning works a bit differently between diff --git a/deps/openssl/openssl/include/openssl/pem.h b/deps/openssl/openssl/include/openssl/pem.h index 2375d63553..f7ce3c61f5 100644 --- a/deps/openssl/openssl/include/openssl/pem.h +++ b/deps/openssl/openssl/include/openssl/pem.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -322,7 +322,8 @@ int PEM_SignUpdate(EVP_MD_CTX *ctx, unsigned char *d, unsigned int cnt); int PEM_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, unsigned int *siglen, EVP_PKEY *pkey); -int PEM_def_callback(char *buf, int num, int w, void *key); +/* The default pem_password_cb that's used internally */ +int PEM_def_callback(char *buf, int num, int rwflag, void *userdata); void PEM_proc_type(char *buf, int type); void PEM_dek_info(char *buf, const char *type, int len, char *str); diff --git a/deps/openssl/openssl/include/openssl/rsa.h b/deps/openssl/openssl/include/openssl/rsa.h index d97d6e075a..790831b945 100644 --- a/deps/openssl/openssl/include/openssl/rsa.h +++ b/deps/openssl/openssl/include/openssl/rsa.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -374,7 +374,7 @@ void RSA_meth_free(RSA_METHOD *meth); RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth); const char *RSA_meth_get0_name(const RSA_METHOD *meth); int RSA_meth_set1_name(RSA_METHOD *meth, const char *name); -int RSA_meth_get_flags(RSA_METHOD *meth); +int RSA_meth_get_flags(const RSA_METHOD *meth); int RSA_meth_set_flags(RSA_METHOD *meth, int flags); void *RSA_meth_get0_app_data(const RSA_METHOD *meth); int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data); diff --git a/deps/openssl/openssl/include/openssl/ssl.h b/deps/openssl/openssl/include/openssl/ssl.h index 1cb3462f48..56e2056260 100644 --- a/deps/openssl/openssl/include/openssl/ssl.h +++ b/deps/openssl/openssl/include/openssl/ssl.h @@ -381,7 +381,7 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx); # define SSL_OP_PKCS1_CHECK_1 0x0 /* Removed from OpenSSL 1.0.1. Was 0x10000000L */ # define SSL_OP_PKCS1_CHECK_2 0x0 -/* Removed from OpenSSL 1.1.0. Was 0x20000000L */ +/* Removed from OpenSSL 1.1.0. Was 0x20000000L */ # define SSL_OP_NETSCAPE_CA_DN_BUG 0x0 /* Removed from OpenSSL 1.1.0. Was 0x40000000L */ # define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x0 @@ -967,8 +967,8 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count); # define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02 # define SSL_VERIFY_CLIENT_ONCE 0x04 -# define OpenSSL_add_ssl_algorithms() SSL_library_init() # if OPENSSL_API_COMPAT < 0x10100000L +# define OpenSSL_add_ssl_algorithms() SSL_library_init() # define SSLeay_add_ssl_algorithms() SSL_library_init() # endif @@ -1358,7 +1358,7 @@ __owur int SSL_get_fd(const SSL *s); __owur int SSL_get_rfd(const SSL *s); __owur int SSL_get_wfd(const SSL *s); __owur const char *SSL_get_cipher_list(const SSL *s, int n); -__owur char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len); +__owur char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size); __owur int SSL_get_read_ahead(const SSL *s); __owur int SSL_pending(const SSL *s); __owur int SSL_has_pending(const SSL *s); diff --git a/deps/openssl/openssl/include/openssl/ssl3.h b/deps/openssl/openssl/include/openssl/ssl3.h index 4ca434e760..115940ad31 100644 --- a/deps/openssl/openssl/include/openssl/ssl3.h +++ b/deps/openssl/openssl/include/openssl/ssl3.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -252,9 +252,15 @@ extern "C" { # define SSL3_CT_FORTEZZA_DMS 20 /* * SSL3_CT_NUMBER is used to size arrays and it must be large enough to - * contain all of the cert types defined either for SSLv3 and TLSv1. + * contain all of the cert types defined for *either* SSLv3 and TLSv1. */ -# define SSL3_CT_NUMBER 9 +# define SSL3_CT_NUMBER 10 + +# if defined(TLS_CT_NUMBER) +# if TLS_CT_NUMBER != SSL3_CT_NUMBER +# error "SSL/TLS CT_NUMBER values do not match" +# endif +# endif # define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001 diff --git a/deps/openssl/openssl/include/openssl/tls1.h b/deps/openssl/openssl/include/openssl/tls1.h index 3fe01fe813..732e87ab35 100644 --- a/deps/openssl/openssl/include/openssl/tls1.h +++ b/deps/openssl/openssl/include/openssl/tls1.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -883,7 +883,13 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb) * when correcting this number, correct also SSL3_CT_NUMBER in ssl3.h (see * comment there) */ -# define TLS_CT_NUMBER 9 +# define TLS_CT_NUMBER 10 + +# if defined(SSL3_CT_NUMBER) +# if TLS_CT_NUMBER != SSL3_CT_NUMBER +# error "SSL/TLS CT_NUMBER values do not match" +# endif +# endif # define TLS1_FINISH_MAC_LENGTH 12 diff --git a/deps/openssl/openssl/include/openssl/x509.h b/deps/openssl/openssl/include/openssl/x509.h index d23fad8e35..780386d530 100644 --- a/deps/openssl/openssl/include/openssl/x509.h +++ b/deps/openssl/openssl/include/openssl/x509.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -805,7 +805,7 @@ X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, const unsigned char *bytes, int len); X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, - int type, + int type, const unsigned char *bytes, int len); int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, @@ -1055,6 +1055,7 @@ int ERR_load_X509_strings(void); # define X509_F_X509_LOAD_CERT_CRL_FILE 132 # define X509_F_X509_LOAD_CERT_FILE 111 # define X509_F_X509_LOAD_CRL_FILE 112 +# define X509_F_X509_LOOKUP_METH_NEW 160 # define X509_F_X509_NAME_ADD_ENTRY 113 # define X509_F_X509_NAME_ENTRY_CREATE_BY_NID 114 # define X509_F_X509_NAME_ENTRY_CREATE_BY_TXT 131 diff --git a/deps/openssl/openssl/include/openssl/x509_vfy.h b/deps/openssl/openssl/include/openssl/x509_vfy.h index 1aa0a33b8a..d91581c773 100644 --- a/deps/openssl/openssl/include/openssl/x509_vfy.h +++ b/deps/openssl/openssl/include/openssl/x509_vfy.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -257,7 +257,9 @@ X509_OBJECT *X509_OBJECT_new(void); void X509_OBJECT_free(X509_OBJECT *a); X509_LOOKUP_TYPE X509_OBJECT_get_type(const X509_OBJECT *a); X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a); +int X509_OBJECT_set1_X509(X509_OBJECT *a, X509 *obj); X509_CRL *X509_OBJECT_get0_X509_CRL(X509_OBJECT *a); +int X509_OBJECT_set1_X509_CRL(X509_OBJECT *a, X509_CRL *obj); X509_STORE *X509_STORE_new(void); void X509_STORE_free(X509_STORE *v); int X509_STORE_lock(X509_STORE *ctx); @@ -364,6 +366,76 @@ X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m); X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void); X509_LOOKUP_METHOD *X509_LOOKUP_file(void); +typedef int (*X509_LOOKUP_ctrl_fn)(X509_LOOKUP *ctx, int cmd, const char *argc, + long argl, char **ret); +typedef int (*X509_LOOKUP_get_by_subject_fn)(X509_LOOKUP *ctx, + X509_LOOKUP_TYPE type, + X509_NAME *name, + X509_OBJECT *ret); +typedef int (*X509_LOOKUP_get_by_issuer_serial_fn)(X509_LOOKUP *ctx, + X509_LOOKUP_TYPE type, + X509_NAME *name, + ASN1_INTEGER *serial, + X509_OBJECT *ret); +typedef int (*X509_LOOKUP_get_by_fingerprint_fn)(X509_LOOKUP *ctx, + X509_LOOKUP_TYPE type, + const unsigned char* bytes, + int len, + X509_OBJECT *ret); +typedef int (*X509_LOOKUP_get_by_alias_fn)(X509_LOOKUP *ctx, + X509_LOOKUP_TYPE type, + const char *str, + int len, + X509_OBJECT *ret); + +X509_LOOKUP_METHOD *X509_LOOKUP_meth_new(const char *name); +void X509_LOOKUP_meth_free(X509_LOOKUP_METHOD *method); + +int X509_LOOKUP_meth_set_new_item(X509_LOOKUP_METHOD *method, + int (*new_item) (X509_LOOKUP *ctx)); +int (*X509_LOOKUP_meth_get_new_item(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx); + +int X509_LOOKUP_meth_set_free(X509_LOOKUP_METHOD *method, + void (*free) (X509_LOOKUP *ctx)); +void (*X509_LOOKUP_meth_get_free(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx); + +int X509_LOOKUP_meth_set_init(X509_LOOKUP_METHOD *method, + int (*init) (X509_LOOKUP *ctx)); +int (*X509_LOOKUP_meth_get_init(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx); + +int X509_LOOKUP_meth_set_shutdown(X509_LOOKUP_METHOD *method, + int (*shutdown) (X509_LOOKUP *ctx)); +int (*X509_LOOKUP_meth_get_shutdown(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx); + +int X509_LOOKUP_meth_set_ctrl(X509_LOOKUP_METHOD *method, + X509_LOOKUP_ctrl_fn ctrl_fn); +X509_LOOKUP_ctrl_fn X509_LOOKUP_meth_get_ctrl(const X509_LOOKUP_METHOD *method); + +int X509_LOOKUP_meth_set_get_by_subject(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_subject_fn fn); +X509_LOOKUP_get_by_subject_fn X509_LOOKUP_meth_get_get_by_subject( + const X509_LOOKUP_METHOD *method); + +int X509_LOOKUP_meth_set_get_by_issuer_serial(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_issuer_serial_fn fn); +X509_LOOKUP_get_by_issuer_serial_fn X509_LOOKUP_meth_get_get_by_issuer_serial( + const X509_LOOKUP_METHOD *method); + +int X509_LOOKUP_meth_set_get_by_fingerprint(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_fingerprint_fn fn); +X509_LOOKUP_get_by_fingerprint_fn X509_LOOKUP_meth_get_get_by_fingerprint( + const X509_LOOKUP_METHOD *method); + +int X509_LOOKUP_meth_set_get_by_alias(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_alias_fn fn); +X509_LOOKUP_get_by_alias_fn X509_LOOKUP_meth_get_get_by_alias( + const X509_LOOKUP_METHOD *method); + + int X509_STORE_add_cert(X509_STORE *ctx, X509 *x); int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x); @@ -393,6 +465,9 @@ int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, X509_OBJECT *ret); int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, const char *str, int len, X509_OBJECT *ret); +int X509_LOOKUP_set_method_data(X509_LOOKUP *ctx, void *data); +void *X509_LOOKUP_get_method_data(const X509_LOOKUP *ctx); +X509_STORE *X509_LOOKUP_get_store(const X509_LOOKUP *ctx); int X509_LOOKUP_shutdown(X509_LOOKUP *ctx); int X509_STORE_load_locations(X509_STORE *ctx, @@ -475,6 +550,7 @@ int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, const char *name, size_t namelen); void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, unsigned int flags); +unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param); char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *); void X509_VERIFY_PARAM_move_peername(X509_VERIFY_PARAM *, X509_VERIFY_PARAM *); int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, diff --git a/deps/openssl/openssl/ms/uplink-x86.pl b/deps/openssl/openssl/ms/uplink-x86.pl index e25668ea35..2c0b12b86e 100755 --- a/deps/openssl/openssl/ms/uplink-x86.pl +++ b/deps/openssl/openssl/ms/uplink-x86.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -41,4 +41,4 @@ for ($i=1;$i<=$N;$i++) { } &asm_finish(); -close OUTPUT; +close STDOUT; diff --git a/deps/openssl/openssl/ssl/record/rec_layer_d1.c b/deps/openssl/openssl/ssl/record/rec_layer_d1.c index b3ff5f1fbf..6111a2e191 100644 --- a/deps/openssl/openssl/ssl/record/rec_layer_d1.c +++ b/deps/openssl/openssl/ssl/record/rec_layer_d1.c @@ -423,6 +423,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, /* get new packet if necessary */ if ((SSL3_RECORD_get_length(rr) == 0) || (s->rlayer.rstate == SSL_ST_READ_BODY)) { + RECORD_LAYER_set_numrpipes(&s->rlayer, 0); ret = dtls1_get_record(s); if (ret <= 0) { ret = dtls1_read_failed(s, ret); @@ -432,6 +433,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, else goto start; } + RECORD_LAYER_set_numrpipes(&s->rlayer, 1); } /* @@ -442,6 +444,19 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, && SSL3_RECORD_get_length(rr) != 0) s->rlayer.alert_count = 0; + if (SSL3_RECORD_get_type(rr) != SSL3_RT_HANDSHAKE + && SSL3_RECORD_get_type(rr) != SSL3_RT_CHANGE_CIPHER_SPEC + && !SSL_in_init(s) + && (s->d1->next_timeout.tv_sec != 0 + || s->d1->next_timeout.tv_usec != 0)) { + /* + * The timer is still running but we've received something that isn't + * handshake data - so the peer must have finished processing our + * last handshake flight. Stop the timer. + */ + dtls1_stop_timer(s); + } + /* we now have a packet which can be read and processed */ if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, @@ -458,6 +473,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, return -1; } SSL3_RECORD_set_length(rr, 0); + SSL3_RECORD_set_read(rr); goto start; } @@ -467,8 +483,9 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, */ if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { SSL3_RECORD_set_length(rr, 0); + SSL3_RECORD_set_read(rr); s->rwstate = SSL_NOTHING; - return (0); + return 0; } if (type == SSL3_RECORD_get_type(rr) @@ -493,8 +510,16 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, if (recvd_type != NULL) *recvd_type = SSL3_RECORD_get_type(rr); - if (len <= 0) - return (len); + if (len <= 0) { + /* + * Mark a zero length record as read. This ensures multiple calls to + * SSL_read() with a zero length buffer will eventually cause + * SSL_pending() to report data as being available. + */ + if (SSL3_RECORD_get_length(rr) == 0) + SSL3_RECORD_set_read(rr); + return len; + } if ((unsigned int)len > SSL3_RECORD_get_length(rr)) n = SSL3_RECORD_get_length(rr); @@ -502,12 +527,16 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, n = (unsigned int)len; memcpy(buf, &(SSL3_RECORD_get_data(rr)[SSL3_RECORD_get_off(rr)]), n); - if (!peek) { + if (peek) { + if (SSL3_RECORD_get_length(rr) == 0) + SSL3_RECORD_set_read(rr); + } else { SSL3_RECORD_sub_length(rr, n); SSL3_RECORD_add_off(rr, n); if (SSL3_RECORD_get_length(rr) == 0) { s->rlayer.rstate = SSL_ST_READ_HEADER; SSL3_RECORD_set_off(rr, 0); + SSL3_RECORD_set_read(rr); } } #ifndef OPENSSL_NO_SCTP @@ -558,6 +587,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, } /* Exit and notify application to read again */ SSL3_RECORD_set_length(rr, 0); + SSL3_RECORD_set_read(rr); s->rwstate = SSL_READING; BIO_clear_retry_flags(SSL_get_rbio(s)); BIO_set_retry_read(SSL_get_rbio(s)); @@ -602,6 +632,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, #endif s->rlayer.rstate = SSL_ST_READ_HEADER; SSL3_RECORD_set_length(rr, 0); + SSL3_RECORD_set_read(rr); goto start; } @@ -611,6 +642,8 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, SSL3_RECORD_add_off(rr, 1); SSL3_RECORD_add_length(rr, -1); } + if (SSL3_RECORD_get_length(rr) == 0) + SSL3_RECORD_set_read(rr); *dest_len = dest_maxlen; } } @@ -681,6 +714,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, } } else { SSL3_RECORD_set_length(rr, 0); + SSL3_RECORD_set_read(rr); ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); } /* @@ -705,6 +739,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, || (s->options & SSL_OP_NO_RENEGOTIATION) != 0)) { s->rlayer.d->handshake_fragment_len = 0; SSL3_RECORD_set_length(rr, 0); + SSL3_RECORD_set_read(rr); ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); goto start; } @@ -732,6 +767,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, if (alert_level == SSL3_AL_WARNING) { s->s3->warn_alert = alert_descr; + SSL3_RECORD_set_read(rr); s->rlayer.alert_count++; if (s->rlayer.alert_count == MAX_WARN_ALERT_COUNT) { @@ -796,6 +832,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, BIO_snprintf(tmp, sizeof(tmp), "%d", alert_descr); ERR_add_error_data(2, "SSL alert number ", tmp); s->shutdown |= SSL_RECEIVED_SHUTDOWN; + SSL3_RECORD_set_read(rr); SSL_CTX_remove_session(s->session_ctx, s->session); return (0); } else { @@ -811,7 +848,8 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, * shutdown */ s->rwstate = SSL_NOTHING; SSL3_RECORD_set_length(rr, 0); - return (0); + SSL3_RECORD_set_read(rr); + return 0; } if (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC) { @@ -820,6 +858,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, * are still missing, so just drop it. */ SSL3_RECORD_set_length(rr, 0); + SSL3_RECORD_set_read(rr); goto start; } @@ -834,6 +873,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, dtls1_get_message_header(rr->data, &msg_hdr); if (SSL3_RECORD_get_epoch(rr) != s->rlayer.d->r_epoch) { SSL3_RECORD_set_length(rr, 0); + SSL3_RECORD_set_read(rr); goto start; } @@ -847,6 +887,19 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, dtls1_retransmit_buffered_messages(s); SSL3_RECORD_set_length(rr, 0); + SSL3_RECORD_set_read(rr); + if (!(s->mode & SSL_MODE_AUTO_RETRY)) { + if (SSL3_BUFFER_get_left(&s->rlayer.rbuf) == 0) { + /* no read-ahead left? */ + BIO *bio; + + s->rwstate = SSL_READING; + bio = SSL_get_rbio(s); + BIO_clear_retry_flags(bio); + BIO_set_retry_read(bio); + return -1; + } + } goto start; } @@ -889,6 +942,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, /* TLS just ignores unknown message types */ if (s->version == TLS1_VERSION) { SSL3_RECORD_set_length(rr, 0); + SSL3_RECORD_set_read(rr); goto start; } al = SSL_AD_UNEXPECTED_MESSAGE; diff --git a/deps/openssl/openssl/ssl/record/rec_layer_s3.c b/deps/openssl/openssl/ssl/record/rec_layer_s3.c index 20225d2db7..1ffc1205d9 100644 --- a/deps/openssl/openssl/ssl/record/rec_layer_s3.c +++ b/deps/openssl/openssl/ssl/record/rec_layer_s3.c @@ -368,7 +368,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) * promptly send beyond the end of the users buffer ... so we trap and * report the error in a way the user will notice */ - if (((unsigned int)len < s->rlayer.wnum) + if (((unsigned int)len < s->rlayer.wnum) || ((wb->left != 0) && ((unsigned int)len < (s->rlayer.wnum + s->rlayer.wpend_tot)))) { SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_BAD_LENGTH); return -1; diff --git a/deps/openssl/openssl/ssl/record/ssl3_record.c b/deps/openssl/openssl/ssl/record/ssl3_record.c index c7a54feb12..c80add37f9 100644 --- a/deps/openssl/openssl/ssl/record/ssl3_record.c +++ b/deps/openssl/openssl/ssl/record/ssl3_record.c @@ -1531,6 +1531,7 @@ int dtls1_get_record(SSL *s) p += 6; n2s(p, rr->length); + rr->read = 0; /* * Lets check the version. We tolerate alerts that don't have the exact @@ -1540,6 +1541,7 @@ int dtls1_get_record(SSL *s) if (version != s->version) { /* unexpected version, silently discard */ rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); goto again; } @@ -1548,6 +1550,7 @@ int dtls1_get_record(SSL *s) if ((version & 0xff00) != (s->version & 0xff00)) { /* wrong version, silently discard record */ rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); goto again; } @@ -1555,10 +1558,10 @@ int dtls1_get_record(SSL *s) if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { /* record too long, silently discard it */ rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); goto again; } - /* now s->rlayer.rstate == SSL_ST_READ_BODY */ } @@ -1572,6 +1575,7 @@ int dtls1_get_record(SSL *s) /* this packet contained a partial record, dump it */ if (n != i) { rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); goto again; } @@ -1588,6 +1592,7 @@ int dtls1_get_record(SSL *s) bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); if (bitmap == NULL) { rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */ goto again; /* get another record */ } @@ -1602,6 +1607,7 @@ int dtls1_get_record(SSL *s) */ if (!dtls1_record_replay_check(s, bitmap)) { rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */ goto again; /* get another record */ } @@ -1610,8 +1616,10 @@ int dtls1_get_record(SSL *s) #endif /* just read a 0 length packet */ - if (rr->length == 0) + if (rr->length == 0) { + rr->read = 1; goto again; + } /* * If this record is from the next epoch (either HM or ALERT), and a @@ -1626,12 +1634,14 @@ int dtls1_get_record(SSL *s) return -1; } rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); goto again; } if (!dtls1_process_record(s, bitmap)) { rr->length = 0; + rr->read = 1; RECORD_LAYER_reset_packet_length(&s->rlayer); /* dump this record */ goto again; /* get another record */ } diff --git a/deps/openssl/openssl/ssl/ssl_ciph.c b/deps/openssl/openssl/ssl/ssl_ciph.c index 7a393cbe80..b8da982105 100644 --- a/deps/openssl/openssl/ssl/ssl_ciph.c +++ b/deps/openssl/openssl/ssl/ssl_ciph.c @@ -101,10 +101,7 @@ static const ssl_cipher_table ssl_cipher_table_cipher[SSL_ENC_NUM_IDX] = { {SSL_CHACHA20POLY1305, NID_chacha20_poly1305}, }; -static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = { - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, - NULL, NULL -}; +static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]; #define SSL_COMP_NULL_IDX 0 #define SSL_COMP_ZLIB_IDX 1 diff --git a/deps/openssl/openssl/ssl/ssl_conf.c b/deps/openssl/openssl/ssl/ssl_conf.c index 7f894885dc..9d9309ac15 100644 --- a/deps/openssl/openssl/ssl/ssl_conf.c +++ b/deps/openssl/openssl/ssl/ssl_conf.c @@ -222,8 +222,9 @@ static int cmd_ECDHParameters(SSL_CONF_CTX *cctx, const char *value) int nid; /* Ignore values supported by 1.0.2 for the automatic selection */ - if ((cctx->flags & SSL_CONF_FLAG_FILE) && - strcasecmp(value, "+automatic") == 0) + if ((cctx->flags & SSL_CONF_FLAG_FILE) + && (strcasecmp(value, "+automatic") == 0 + || strcasecmp(value, "automatic") == 0)) return 1; if ((cctx->flags & SSL_CONF_FLAG_CMDLINE) && strcmp(value, "auto") == 0) diff --git a/deps/openssl/openssl/ssl/ssl_init.c b/deps/openssl/openssl/ssl/ssl_init.c index 3e62d48111..dc16e39bf3 100644 --- a/deps/openssl/openssl/ssl/ssl_init.c +++ b/deps/openssl/openssl/ssl/ssl_init.c @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -12,6 +12,7 @@ #include "internal/err.h" #include <openssl/crypto.h> #include <openssl/evp.h> +#include <openssl/conf.h> #include <assert.h> #include "ssl_locl.h" #include "internal/thread_once.h" @@ -126,8 +127,8 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_ssl_strings) "ERR_load_SSL_strings()\n"); # endif ERR_load_SSL_strings(); -#endif ssl_strings_inited = 1; +#endif return 1; } @@ -191,11 +192,13 @@ int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS * settings) return 0; } - if (!RUN_ONCE(&ssl_base, ossl_init_ssl_base)) + if (!OPENSSL_init_crypto(opts + | OPENSSL_INIT_ADD_ALL_CIPHERS + | OPENSSL_INIT_ADD_ALL_DIGESTS, + settings)) return 0; - if (!OPENSSL_init_crypto(opts | OPENSSL_INIT_ADD_ALL_CIPHERS - | OPENSSL_INIT_ADD_ALL_DIGESTS, settings)) + if (!RUN_ONCE(&ssl_base, ossl_init_ssl_base)) return 0; if ((opts & OPENSSL_INIT_NO_LOAD_SSL_STRINGS) diff --git a/deps/openssl/openssl/ssl/ssl_lib.c b/deps/openssl/openssl/ssl/ssl_lib.c index 8a190d23e8..2002c1712f 100644 --- a/deps/openssl/openssl/ssl/ssl_lib.c +++ b/deps/openssl/openssl/ssl/ssl_lib.c @@ -2213,28 +2213,37 @@ int SSL_set_cipher_list(SSL *s, const char *str) return 1; } -char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len) +char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size) { char *p; - STACK_OF(SSL_CIPHER) *sk; + STACK_OF(SSL_CIPHER) *clntsk, *srvrsk; const SSL_CIPHER *c; int i; - if ((s->session == NULL) || (s->session->ciphers == NULL) || (len < 2)) - return (NULL); + if (!s->server + || s->session == NULL + || s->session->ciphers == NULL + || size < 2) + return NULL; p = buf; - sk = s->session->ciphers; + clntsk = s->session->ciphers; + srvrsk = SSL_get_ciphers(s); + if (clntsk == NULL || srvrsk == NULL) + return NULL; - if (sk_SSL_CIPHER_num(sk) == 0) + if (sk_SSL_CIPHER_num(clntsk) == 0 || sk_SSL_CIPHER_num(srvrsk) == 0) return NULL; - for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { + for (i = 0; i < sk_SSL_CIPHER_num(clntsk); i++) { int n; - c = sk_SSL_CIPHER_value(sk, i); + c = sk_SSL_CIPHER_value(clntsk, i); + if (sk_SSL_CIPHER_find(srvrsk, c) < 0) + continue; + n = strlen(c->name); - if (n + 1 > len) { + if (n + 1 > size) { if (p != buf) --p; *p = '\0'; @@ -2243,7 +2252,7 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len) memcpy(p, c->name, n + 1); p += n; *(p++) = ':'; - len -= n + 1; + size -= n + 1; } p[-1] = '\0'; return (buf); @@ -3035,12 +3044,13 @@ void ssl_update_cache(SSL *s, int mode) /* * If sid_ctx_length is 0 there is no specific application context * associated with this session, so when we try to resume it and - * SSL_VERIFY_PEER is requested, we have no indication that this is - * actually a session for the proper application context, and the - * *handshake* will fail, not just the resumption attempt. - * Do not cache these sessions that are not resumable. + * SSL_VERIFY_PEER is requested to verify the client identity, we have no + * indication that this is actually a session for the proper application + * context, and the *handshake* will fail, not just the resumption attempt. + * Do not cache (on the server) these sessions that are not resumable + * (clients can set SSL_VERIFY_PEER without needing a sid_ctx set). */ - if (s->session->sid_ctx_length == 0 + if (s->server && s->session->sid_ctx_length == 0 && (s->verify_mode & SSL_VERIFY_PEER) != 0) return; @@ -3519,7 +3529,6 @@ void ssl_free_wbio_buffer(SSL *s) return; s->wbio = BIO_pop(s->wbio); - assert(s->wbio != NULL); BIO_free(s->bbio); s->bbio = NULL; } diff --git a/deps/openssl/openssl/ssl/ssl_locl.h b/deps/openssl/openssl/ssl/ssl_locl.h index d86bd7e8e2..3c7c1a8e64 100644 --- a/deps/openssl/openssl/ssl/ssl_locl.h +++ b/deps/openssl/openssl/ssl/ssl_locl.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -164,6 +164,8 @@ (c)[1]=(unsigned char)(((l)>> 8)&0xff), \ (c)[2]=(unsigned char)(((l) )&0xff)),(c)+=3) +# define SSL_MAX_2_BYTE_LEN (0xffff) + /* * DTLS version numbers are strange because they're inverted. Except for * DTLS1_BAD_VER, which should be considered "lower" than the rest. @@ -347,6 +349,9 @@ /* we have used 0000003f - 26 bits left to go */ +# define SSL_IS_FIRST_HANDSHAKE(S) ((s)->s3->tmp.finish_md_len == 0 \ + || (s)->s3->tmp.peer_finish_md_len == 0) + /* Check if an SSL structure is using DTLS */ # define SSL_IS_DTLS(s) (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) /* See if we need explicit IV */ @@ -537,7 +542,7 @@ struct ssl_session_st { const SSL_CIPHER *cipher; unsigned long cipher_id; /* when ASN.1 loaded, this needs to be used to * load the 'cipher' structure */ - STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */ + STACK_OF(SSL_CIPHER) *ciphers; /* ciphers offered by the client */ CRYPTO_EX_DATA ex_data; /* application specific data */ /* * These are used to make removal of session-ids more efficient and to diff --git a/deps/openssl/openssl/ssl/ssl_mcnf.c b/deps/openssl/openssl/ssl/ssl_mcnf.c index c2d9dba64a..24742660e4 100644 --- a/deps/openssl/openssl/ssl/ssl_mcnf.c +++ b/deps/openssl/openssl/ssl/ssl_mcnf.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,148 +11,35 @@ #include <openssl/conf.h> #include <openssl/ssl.h> #include "ssl_locl.h" +#include "internal/sslconf.h" /* SSL library configuration module. */ -struct ssl_conf_name { - /* Name of this set of commands */ - char *name; - /* List of commands */ - struct ssl_conf_cmd *cmds; - /* Number of commands */ - size_t cmd_count; -}; - -struct ssl_conf_cmd { - /* Command */ - char *cmd; - /* Argument */ - char *arg; -}; - -static struct ssl_conf_name *ssl_names; -static size_t ssl_names_count; - -static void ssl_module_free(CONF_IMODULE *md) -{ - size_t i, j; - if (ssl_names == NULL) - return; - for (i = 0; i < ssl_names_count; i++) { - struct ssl_conf_name *tname = ssl_names + i; - OPENSSL_free(tname->name); - for (j = 0; j < tname->cmd_count; j++) { - OPENSSL_free(tname->cmds[j].cmd); - OPENSSL_free(tname->cmds[j].arg); - } - OPENSSL_free(tname->cmds); - } - OPENSSL_free(ssl_names); - ssl_names = NULL; - ssl_names_count = 0; -} - -static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf) -{ - size_t i, j, cnt; - int rv = 0; - const char *ssl_conf_section; - STACK_OF(CONF_VALUE) *cmd_lists; - ssl_conf_section = CONF_imodule_get_value(md); - cmd_lists = NCONF_get_section(cnf, ssl_conf_section); - if (sk_CONF_VALUE_num(cmd_lists) <= 0) { - if (cmd_lists == NULL) - SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_SECTION_NOT_FOUND); - else - SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_SECTION_EMPTY); - ERR_add_error_data(2, "section=", ssl_conf_section); - goto err; - } - cnt = sk_CONF_VALUE_num(cmd_lists); - ssl_names = OPENSSL_zalloc(sizeof(*ssl_names) * cnt); - ssl_names_count = cnt; - for (i = 0; i < ssl_names_count; i++) { - struct ssl_conf_name *ssl_name = ssl_names + i; - CONF_VALUE *sect = sk_CONF_VALUE_value(cmd_lists, i); - STACK_OF(CONF_VALUE) *cmds = NCONF_get_section(cnf, sect->value); - if (sk_CONF_VALUE_num(cmds) <= 0) { - if (cmds == NULL) - SSLerr(SSL_F_SSL_MODULE_INIT, - SSL_R_SSL_COMMAND_SECTION_NOT_FOUND); - else - SSLerr(SSL_F_SSL_MODULE_INIT, SSL_R_SSL_COMMAND_SECTION_EMPTY); - ERR_add_error_data(4, "name=", sect->name, ", value=", sect->value); - goto err; - } - ssl_name->name = BUF_strdup(sect->name); - if (ssl_name->name == NULL) - goto err; - cnt = sk_CONF_VALUE_num(cmds); - ssl_name->cmds = OPENSSL_zalloc(cnt * sizeof(struct ssl_conf_cmd)); - if (ssl_name->cmds == NULL) - goto err; - ssl_name->cmd_count = cnt; - for (j = 0; j < cnt; j++) { - const char *name; - CONF_VALUE *cmd_conf = sk_CONF_VALUE_value(cmds, j); - struct ssl_conf_cmd *cmd = ssl_name->cmds + j; - /* Skip any initial dot in name */ - name = strchr(cmd_conf->name, '.'); - if (name != NULL) - name++; - else - name = cmd_conf->name; - cmd->cmd = BUF_strdup(name); - cmd->arg = BUF_strdup(cmd_conf->value); - if (cmd->cmd == NULL || cmd->arg == NULL) - goto err; - } - - } - rv = 1; - err: - if (rv == 0) - ssl_module_free(md); - return rv; -} - void SSL_add_ssl_module(void) { - CONF_module_add("ssl_conf", ssl_module_init, ssl_module_free); -} - -static const struct ssl_conf_name *ssl_name_find(const char *name) -{ - size_t i; - const struct ssl_conf_name *nm; - if (name == NULL) - return NULL; - for (i = 0, nm = ssl_names; i < ssl_names_count; i++, nm++) { - if (strcmp(nm->name, name) == 0) - return nm; - } - return NULL; + /* Just load all of the crypto builtin modules. This includes the SSL one */ + OPENSSL_load_builtin_modules(); } static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name) { SSL_CONF_CTX *cctx = NULL; - size_t i; + size_t i, idx, cmd_count; int rv = 0; unsigned int flags; const SSL_METHOD *meth; - const struct ssl_conf_name *nm; - struct ssl_conf_cmd *cmd; + const SSL_CONF_CMD *cmds; + if (s == NULL && ctx == NULL) { SSLerr(SSL_F_SSL_DO_CONFIG, ERR_R_PASSED_NULL_PARAMETER); goto err; } - nm = ssl_name_find(name); - if (nm == NULL) { + if (!conf_ssl_name_find(name, &idx)) { SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_INVALID_CONFIGURATION_NAME); ERR_add_error_data(2, "name=", name); goto err; } + cmds = conf_ssl_get(idx, &name, &cmd_count); cctx = SSL_CONF_CTX_new(); if (cctx == NULL) goto err; @@ -170,15 +57,18 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name) if (meth->ssl_connect != ssl_undefined_function) flags |= SSL_CONF_FLAG_CLIENT; SSL_CONF_CTX_set_flags(cctx, flags); - for (i = 0, cmd = nm->cmds; i < nm->cmd_count; i++, cmd++) { - rv = SSL_CONF_cmd(cctx, cmd->cmd, cmd->arg); + for (i = 0; i < cmd_count; i++) { + char *cmdstr, *arg; + + conf_ssl_get_cmd(cmds, i, &cmdstr, &arg); + rv = SSL_CONF_cmd(cctx, cmdstr, arg); if (rv <= 0) { if (rv == -2) SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_UNKNOWN_COMMAND); else SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_BAD_VALUE); - ERR_add_error_data(6, "section=", name, ", cmd=", cmd->cmd, - ", arg=", cmd->arg); + ERR_add_error_data(6, "section=", name, ", cmd=", cmdstr, + ", arg=", arg); goto err; } } diff --git a/deps/openssl/openssl/ssl/ssl_sess.c b/deps/openssl/openssl/ssl/ssl_sess.c index 0dea8b5224..926b55c7ba 100644 --- a/deps/openssl/openssl/ssl/ssl_sess.c +++ b/deps/openssl/openssl/ssl/ssl_sess.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -734,11 +734,11 @@ static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck) if (lck) CRYPTO_THREAD_unlock(ctx->lock); - if (ret) - SSL_SESSION_free(r); - if (ctx->remove_session_cb != NULL) ctx->remove_session_cb(ctx, c); + + if (ret) + SSL_SESSION_free(r); } else ret = 0; return (ret); diff --git a/deps/openssl/openssl/ssl/ssl_txt.c b/deps/openssl/openssl/ssl/ssl_txt.c index dbbf9d9e8d..f149a3ad09 100644 --- a/deps/openssl/openssl/ssl/ssl_txt.c +++ b/deps/openssl/openssl/ssl/ssl_txt.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -70,18 +70,18 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) if (x->cipher == NULL) { if (((x->cipher_id) & 0xff000000) == 0x02000000) { - if (BIO_printf - (bp, " Cipher : %06lX\n", x->cipher_id & 0xffffff) <= 0) + if (BIO_printf(bp, " Cipher : %06lX\n", + x->cipher_id & 0xffffff) <= 0) goto err; } else { - if (BIO_printf - (bp, " Cipher : %04lX\n", x->cipher_id & 0xffff) <= 0) + if (BIO_printf(bp, " Cipher : %04lX\n", + x->cipher_id & 0xffff) <= 0) goto err; } } else { - if (BIO_printf - (bp, " Cipher : %s\n", - ((x->cipher == NULL) ? "unknown" : x->cipher->name)) <= 0) + if (BIO_printf(bp, " Cipher : %s\n", + ((x->cipher->name == NULL) ? "unknown" + : x->cipher->name)) <= 0) goto err; } if (BIO_puts(bp, " Session-ID: ") <= 0) diff --git a/deps/openssl/openssl/ssl/statem/README b/deps/openssl/openssl/ssl/statem/README index 4467bd1e58..145c69db8d 100644 --- a/deps/openssl/openssl/ssl/statem/README +++ b/deps/openssl/openssl/ssl/statem/README @@ -60,3 +60,4 @@ Conceptually the state machine component is designed as follows: | Non core functions common | | Non core functions common to | | to both servers and clients | | both DTLS servers and clients | |_____________________________| |_______________________________| + diff --git a/deps/openssl/openssl/ssl/statem/statem.c b/deps/openssl/openssl/ssl/statem/statem.c index b91ec0a360..69bb40f00e 100644 --- a/deps/openssl/openssl/ssl/statem/statem.c +++ b/deps/openssl/openssl/ssl/statem/statem.c @@ -556,10 +556,8 @@ static SUB_STATE_RETURN read_state_machine(SSL *s) * Validate that we are allowed to move to the new state and move * to that state if so */ - if (!transition(s, mt)) { - ossl_statem_set_error(s); + if (!transition(s, mt)) return SUB_STATE_ERROR; - } if (s->s3->tmp.message_size > max_message_size(s)) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); diff --git a/deps/openssl/openssl/ssl/statem/statem_clnt.c b/deps/openssl/openssl/ssl/statem/statem_clnt.c index 6fa3f1db67..ed993553c5 100644 --- a/deps/openssl/openssl/ssl/statem/statem_clnt.c +++ b/deps/openssl/openssl/ssl/statem/statem_clnt.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -265,6 +265,21 @@ int ossl_statem_client_read_transition(SSL *s, int mt) err: /* No valid transition found */ + if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { + BIO *rbio; + + /* + * CCS messages don't have a message sequence number so this is probably + * because of an out-of-order CCS. We'll just drop it. + */ + s->init_num = 0; + s->rwstate = SSL_READING; + rbio = SSL_get_rbio(s); + BIO_clear_retry_flags(rbio); + BIO_set_retry_read(rbio); + return 0; + } + ossl_statem_set_error(s); ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE); SSLerr(SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION, SSL_R_UNEXPECTED_MESSAGE); return 0; diff --git a/deps/openssl/openssl/ssl/statem/statem_dtls.c b/deps/openssl/openssl/ssl/statem/statem_dtls.c index 6b80620ee9..5b34425445 100644 --- a/deps/openssl/openssl/ssl/statem/statem_dtls.c +++ b/deps/openssl/openssl/ssl/statem/statem_dtls.c @@ -493,7 +493,8 @@ static int dtls1_retrieve_buffered_fragment(SSL *s, int *ok) al = dtls1_preprocess_fragment(s, &frag->msg_header); - if (al == 0) { /* no alert */ + /* al will be 0 if no alert */ + if (al == 0 && frag->msg_header.frag_len > 0) { unsigned char *p = (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; memcpy(&p[frag->msg_header.frag_off], frag->fragment, diff --git a/deps/openssl/openssl/ssl/statem/statem_lib.c b/deps/openssl/openssl/ssl/statem/statem_lib.c index 36d410bdf7..eba4c6fb40 100644 --- a/deps/openssl/openssl/ssl/statem/statem_lib.c +++ b/deps/openssl/openssl/ssl/statem/statem_lib.c @@ -299,6 +299,15 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst) s->ctx->stats.sess_accept_good++; s->handshake_func = ossl_statem_accept; + + if (SSL_IS_DTLS(s) && !s->hit) { + /* + * We are finishing after the client. We start the timer going + * in case there are any retransmits of our final flight + * required. + */ + dtls1_start_timer(s); + } } else { ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); if (s->hit) @@ -306,6 +315,15 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst) s->handshake_func = ossl_statem_connect; s->ctx->stats.sess_connect_good++; + + if (SSL_IS_DTLS(s) && s->hit) { + /* + * We are finishing after the server. We start the timer going + * in case there are any retransmits of our final flight + * required. + */ + dtls1_start_timer(s); + } } if (s->info_callback != NULL) @@ -1073,6 +1091,13 @@ int ssl_set_client_hello_version(SSL *s) { int ver_min, ver_max, ret; + /* + * In a renegotiation we always send the same client_version that we sent + * last time, regardless of which version we eventually negotiated. + */ + if (!SSL_IS_FIRST_HANDSHAKE(s)) + return 0; + ret = ssl_get_client_min_max_version(s, &ver_min, &ver_max); if (ret != 0) diff --git a/deps/openssl/openssl/ssl/statem/statem_srvr.c b/deps/openssl/openssl/ssl/statem/statem_srvr.c index c7cd9eb662..f81fa5e199 100644 --- a/deps/openssl/openssl/ssl/statem/statem_srvr.c +++ b/deps/openssl/openssl/ssl/statem/statem_srvr.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -213,6 +213,21 @@ int ossl_statem_server_read_transition(SSL *s, int mt) } /* No valid transition found */ + if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { + BIO *rbio; + + /* + * CCS messages don't have a message sequence number so this is probably + * because of an out-of-order CCS. We'll just drop it. + */ + s->init_num = 0; + s->rwstate = SSL_READING; + rbio = SSL_get_rbio(s); + BIO_clear_retry_flags(rbio); + BIO_set_retry_read(rbio); + return 0; + } + ossl_statem_set_error(s); ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE); SSLerr(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, SSL_R_UNEXPECTED_MESSAGE); return 0; @@ -1698,6 +1713,12 @@ int tls_construct_server_key_exchange(SSL *s) } dh = EVP_PKEY_get0_DH(s->s3->tmp.pkey); + if (dh == NULL) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; + } EVP_PKEY_free(pkdh); pkdh = NULL; @@ -1985,6 +2006,11 @@ int tls_construct_certificate_request(SSL *s) const unsigned char *psigs; unsigned char *etmp = p; nl = tls12_get_psigalgs(s, 1, &psigs); + if (nl > SSL_MAX_2_BYTE_LEN) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, + SSL_R_LENGTH_TOO_LONG); + goto err; + } /* Skip over length for now */ p += 2; nl = tls12_copy_sigalgs(s, p, psigs, nl); @@ -2004,6 +2030,11 @@ int tls_construct_certificate_request(SSL *s) for (i = 0; i < sk_X509_NAME_num(sk); i++) { name = sk_X509_NAME_value(sk, i); j = i2d_X509_NAME(name, NULL); + if (j > SSL_MAX_2_BYTE_LEN) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, + SSL_R_LENGTH_TOO_LONG); + goto err; + } if (!BUF_MEM_grow_clean(buf, SSL_HM_HEADER_LENGTH(s) + n + j + 2)) { SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_BUF_LIB); goto err; @@ -2013,6 +2044,11 @@ int tls_construct_certificate_request(SSL *s) i2d_X509_NAME(name, &p); n += 2 + j; nl += 2 + j; + if (nl > SSL_MAX_2_BYTE_LEN) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, + SSL_R_LENGTH_TOO_LONG); + goto err; + } } } /* else no CA names */ @@ -2303,13 +2339,12 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al) SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_BN_LIB); goto err; } + cdh = EVP_PKEY_get0_DH(ckey); pub_key = BN_bin2bn(data, i, NULL); - - if (pub_key == NULL || !DH_set0_key(cdh, pub_key, NULL)) { + if (pub_key == NULL || cdh == NULL || !DH_set0_key(cdh, pub_key, NULL)) { SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR); - if (pub_key != NULL) - BN_free(pub_key); + BN_free(pub_key); goto err; } diff --git a/deps/openssl/openssl/ssl/t1_lib.c b/deps/openssl/openssl/ssl/t1_lib.c index 7a5721a1e2..95711fb6df 100644 --- a/deps/openssl/openssl/ssl/t1_lib.c +++ b/deps/openssl/openssl/ssl/t1_lib.c @@ -408,7 +408,7 @@ int tls1_set_curves(unsigned char **pext, size_t *pextlen, return 1; } -# define MAX_CURVELIST 28 +# define MAX_CURVELIST OSSL_NELEM(nid_list) typedef struct { size_t nidcnt; @@ -490,13 +490,16 @@ static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id, return 1; } +# define DONT_CHECK_OWN_GROUPS 0 +# define CHECK_OWN_GROUPS 1 /* Check an EC key is compatible with extensions */ -static int tls1_check_ec_key(SSL *s, - unsigned char *curve_id, unsigned char *comp_id) +static int tls1_check_ec_key(SSL *s, unsigned char *curve_id, + unsigned char *comp_id, int check_own_groups) { const unsigned char *pformats, *pcurves; size_t num_formats, num_curves, i; int j; + /* * If point formats extension present check it, otherwise everything is * supported (see RFC4492). @@ -513,8 +516,12 @@ static int tls1_check_ec_key(SSL *s, } if (!curve_id) return 1; + + if (!s->server && !check_own_groups) + return 1; + /* Check curve is consistent with client and server preferences */ - for (j = 0; j <= 1; j++) { + for (j = check_own_groups ? 0 : 1; j <= 1; j++) { if (!tls1_get_curvelist(s, j, &pcurves, &num_curves)) return 0; if (j == 1 && num_curves == 0) { @@ -579,9 +586,12 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) return 0; /* * Can't check curve_id for client certs as we don't have a supported - * curves extension. + * curves extension. For server certs we will tolerate certificates that + * aren't in our own list of curves. If we've been configured to use an EC + * cert then we should use it - therefore we use DONT_CHECK_OWN_GROUPS here. */ - rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id); + rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id, + DONT_CHECK_OWN_GROUPS); if (!rv) return 0; /* @@ -644,7 +654,7 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) return 0; curve_id[0] = 0; /* Check this curve is acceptable */ - if (!tls1_check_ec_key(s, curve_id, NULL)) + if (!tls1_check_ec_key(s, curve_id, NULL, CHECK_OWN_GROUPS)) return 0; return 1; } @@ -746,8 +756,9 @@ size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs) } /* - * Check signature algorithm is consistent with sent supported signature - * algorithms and if so return relevant digest. + * Check signature algorithm received from the peer with a signature is + * consistent with the sent supported signature algorithms and if so return + * relevant digest. */ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, const unsigned char *sig, EVP_PKEY *pkey) @@ -769,7 +780,8 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, /* Check compression and curve matches extensions */ if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey))) return 0; - if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) { + if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id, + CHECK_OWN_GROUPS)) { SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); return 0; } @@ -2144,6 +2156,10 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) } } } else if (type == TLSEXT_TYPE_status_request) { + /* Ignore this if resuming */ + if (s->hit) + continue; + if (!PACKET_get_1(&extension, (unsigned int *)&s->tlsext_status_type)) { return 0; @@ -2784,7 +2800,7 @@ int tls1_set_server_sigalgs(SSL *s) if (!s->cert->shared_sigalgs) { SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS); - al = SSL_AD_ILLEGAL_PARAMETER; + al = SSL_AD_HANDSHAKE_FAILURE; goto err; } } else { @@ -4125,13 +4141,16 @@ DH *ssl_get_auto_dh(SSL *s) if (dhp == NULL) return NULL; g = BN_new(); - if (g != NULL) - BN_set_word(g, 2); + if (g == NULL || !BN_set_word(g, 2)) { + DH_free(dhp); + BN_free(g); + return NULL; + } if (dh_secbits >= 192) p = BN_get_rfc3526_prime_8192(NULL); else p = BN_get_rfc3526_prime_3072(NULL); - if (p == NULL || g == NULL || !DH_set0_pqg(dhp, p, NULL, g)) { + if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) { DH_free(dhp); BN_free(p); BN_free(g); @@ -4172,6 +4191,9 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) return 1; sig_nid = X509_get_signature_nid(x); + /* We are not able to look up the CA MD for RSA PSS in this version */ + if (sig_nid == NID_rsassaPss) + return 1; if (sig_nid && OBJ_find_sigid_algs(sig_nid, &md_nid, NULL)) { const EVP_MD *md; if (md_nid && (md = EVP_get_digestbynid(md_nid))) diff --git a/deps/openssl/openssl/ssl/t1_trce.c b/deps/openssl/openssl/ssl/t1_trce.c index 76bdf792ae..588cb8cc3d 100644 --- a/deps/openssl/openssl/ssl/t1_trce.c +++ b/deps/openssl/openssl/ssl/t1_trce.c @@ -1,5 +1,5 @@ /* - * Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -725,6 +725,8 @@ static int ssl_print_extensions(BIO *bio, int indent, int server, BIO_puts(bio, "No Extensions\n"); return 1; } + if (msglen < 2) + return 0; extslen = (msg[0] << 8) | msg[1]; if (extslen != msglen - 2) return 0; @@ -1092,6 +1094,8 @@ static int ssl_print_cert_request(BIO *bio, int indent, SSL *s, msglen -= xlen + 2; skip_sig: + if (msglen < 2) + return 0; xlen = (msg[0] << 8) | msg[1]; BIO_indent(bio, indent, 80); if (msglen < xlen + 2) @@ -1271,7 +1275,16 @@ void SSL_trace(int write_p, int version, int content_type, switch (content_type) { case SSL3_RT_HEADER: { - int hvers = msg[1] << 8 | msg[2]; + int hvers; + + /* avoid overlapping with length at the end of buffer */ + if (msglen < (size_t)(SSL_IS_DTLS(ssl) ? + DTLS1_RT_HEADER_LENGTH : SSL3_RT_HEADER_LENGTH)) { + BIO_puts(bio, write_p ? "Sent" : "Received"); + ssl_print_hex(bio, 0, " too short message", msg, msglen); + break; + } + hvers = msg[1] << 8 | msg[2]; BIO_puts(bio, write_p ? "Sent" : "Received"); BIO_printf(bio, " Record\nHeader:\n Version = %s (0x%x)\n", ssl_trace_str(hvers, ssl_version_tbl), hvers); diff --git a/deps/openssl/openssl/test/README b/deps/openssl/openssl/test/README index b1222399f7..ef39d38ac9 100644 --- a/deps/openssl/openssl/test/README +++ b/deps/openssl/openssl/test/README @@ -38,9 +38,9 @@ A recipe that just runs a test executable A script that just runs a program looks like this: #! /usr/bin/perl - + use OpenSSL::Test::Simple; - + simple_test("test_{name}", "{name}test", "{name}"); {name} is the unique name you have chosen for your test. @@ -62,28 +62,28 @@ documentation. For OpenSSL::Test, do `perldoc test/testlib/OpenSSL/Test.pm'. A script to start from could be this: #! /usr/bin/perl - + use strict; use warnings; use OpenSSL::Test; - + setup("test_{name}"); - + plan tests => 2; # The number of tests being performed - + ok(test1, "test1"); ok(test2, "test1"); - + sub test1 { # test feature 1 } - + sub test2 { # test feature 2 } - + Changes to test/Makefile ======================== diff --git a/deps/openssl/openssl/test/bioprinttest.c b/deps/openssl/openssl/test/bioprinttest.c index d8bb2c2e34..b2d26225e5 100644 --- a/deps/openssl/openssl/test/bioprinttest.c +++ b/deps/openssl/openssl/test/bioprinttest.c @@ -221,3 +221,5 @@ int main(int argc, char **argv) } return 0; } + + diff --git a/deps/openssl/openssl/test/build.info b/deps/openssl/openssl/test/build.info index c262248b6f..d850b5229c 100644 --- a/deps/openssl/openssl/test/build.info +++ b/deps/openssl/openssl/test/build.info @@ -1,5 +1,6 @@ IF[{- !$disabled{tests} -}] PROGRAMS_NO_INST=\ + versions \ aborttest \ sanitytest exdatatest bntest \ ectest ecdsatest gmdifftest pbelutest ideatest \ @@ -17,7 +18,11 @@ IF[{- !$disabled{tests} -}] dtlsv1listentest ct_test threadstest afalgtest d2i_test \ ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \ bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \ - ocspapitest fatalerrtest + ocspapitest fatalerrtest x509_time_test x509_dup_cert_test errtest + + SOURCE[versions]=versions.c + INCLUDE[versions]=../include + DEPEND[versions]=../libcrypto SOURCE[aborttest]=aborttest.c INCLUDE[aborttest]=../include @@ -292,11 +297,23 @@ IF[{- !$disabled{tests} -}] INCLUDE[bio_enc_test]=../include DEPEND[bio_enc_test]=../libcrypto + SOURCE[x509_time_test]=x509_time_test.c testutil.c + INCLUDE[x509_time_test]=.. ../include + DEPEND[x509_time_test]=../libcrypto + + SOURCE[x509_dup_cert_test]=x509_dup_cert_test.c + INCLUDE[x509_dup_cert_test]=../include + DEPEND[x509_dup_cert_test]=../libcrypto + IF[{- !$disabled{shared} -}] PROGRAMS_NO_INST=shlibloadtest SOURCE[shlibloadtest]=shlibloadtest.c INCLUDE[shlibloadtest]=../include ENDIF + + SOURCE[errtest]=errtest.c testutil.c + INCLUDE[errtest]=../include + DEPEND[errtest]=../libcrypto ENDIF {- diff --git a/deps/openssl/openssl/test/certs/alt1-cert.pem b/deps/openssl/openssl/test/certs/alt1-cert.pem index b94d0eaf9d..d68b0e5193 100644 --- a/deps/openssl/openssl/test/certs/alt1-cert.pem +++ b/deps/openssl/openssl/test/certs/alt1-cert.pem @@ -1,22 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDlTCCAn2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 -IE5DIENBIDEwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMGgxIzAh -BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRUwEwYDVQQDDAx3d3cu -Z29vZC5vcmcxEzARBgNVBAMMCkpvZSBCbG9nZ3MxFTATBgNVBAMMDGFueS5nb29k -LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALAv1X8S8uUpnjTa -3bv7m1jJbbX7bC9w7k4TfxiU5XL/m3EhN//EUBJSoamy6vFC6oy/6jA8XmptlVrY -Sp3ZKFdjdZh+CyYZKcrv4JReF2lfRIINn6d6EgcAobGTNwdcv67xuNtMi0meAvmK -gLjOa/IhCHNC+l8vNDJx/a+7mxH+yNxPL6lC/kJMja6oaYndx74WJpPC22LJ/cCp -xspKKsoPYYjk0BX9RvbKO8s4b86Wjzzntht+NpQ4LLh9XwPZog11qGE4UIrsV8XA -YxJrMGQNZd69cnCOz8vnOVCszFOa4qVvXeAGr0iFlZAXbQJevpiiXaXHMEt8C1qH -xpcW8DcCAwEAAaOBmDCBlTAdBgNVHQ4EFgQUw8nB25NP0gUaFCrOwAO5KzllnREw -HwYDVR0jBBgwFoAUCNGb+ebVZHCg8Wsanu1S2t31UEMwCQYDVR0TBAIwADBIBgNV -HREEQTA/ggx3d3cuZ29vZC5vcmeCDGFueS5nb29kLmNvbYENZ29vZEBnb29kLm9y -Z4EMYW55QGdvb2QuY29thwTAqAABMA0GCSqGSIb3DQEBCwUAA4IBAQBUnDMrg1py -8/iYXzs11Qbw7bBhc/HQDpu5QVgriaX2zDUpTLSEUV7qZFSHmwWm91ILw2VA1Xni -ua2sF19o/tJT0ZHpapkfqGpfsym2H04NDMKy0l0fSZhlCB5Kv5wpiFt9hBUrxS/2 -Dd6Kg+Ka02nD5QBXSAk/xz0FmgezzGGCLjg85/Sfe9Y7tNhQXh3HuGXuJizYccdQ -Fh1IAFYW3DZoDKS7dDTCltvDEma/2IE684+CRJiA6PH9rYfJ1CCUfAMpyA85CxKT -P68GDKI++WoUgM8LDfxS0KOL7A9cqcpM2L27hjyEgnqIBPHFfm9fxztBotuCTl5L -vRlTFVjv65nn +MIIDgTCCAmmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 +IE5DIENBIDEwIBcNMTgwNTE2MDIzODEzWhgPMjExODA1MTcwMjM4MTNaMFQxIzAh +BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRgwFgYDVQQDDA93d3cu +ZXhhbXBsZS5uZXQxEzARBgNVBAMMCkpvZSBCbG9nZ3MwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDTqvf6j+WxCtn4RU8/6uXXgCTcksv6NDXCZ9JAz4Vv +cQbJfhFbDWpGZQZDOCqwtj+7CSVIraxItHzPlrt36cevsoPmpuqGbHrUaOLneme2 +x81SXUq0z/DmDvwxVENmRj1u7iCt3sL7awcid4SiotLOY2F1jBazmqprqKZBUiyQ +XqpSp+9uSav77ydwDXCrQozBdns1YRshgU9omQrTcIqHCj1f9Lo+A2y4+TZYZkvS +DuUZiTfPTPouR6sopM8JLyAZc+TvFFncEg24N+zz3O3jwH82BZEjzavw92J9npJB +UXvKb8O9z7UA65WYuL2he7kSQCsPNLoRWZnVpchwr3VHAgMBAAGjgZgwgZUwHQYD +VR0OBBYEFHvLhGWckFjVXdDI3ds9Wti6zgXAMB8GA1UdIwQYMBaAFAjRm/nm1WRw +oPFrGp7tUtrd9VBDMAkGA1UdEwQCMAAwSAYDVR0RBEEwP4IMd3d3Lmdvb2Qub3Jn +ggxhbnkuZ29vZC5jb22BDWdvb2RAZ29vZC5vcmeBDGFueUBnb29kLmNvbYcEwKgA +ATANBgkqhkiG9w0BAQsFAAOCAQEATVcTyrAxsehdQNrkL6kquXxWlyegJcxvVxUe +hfh9+Lw4620b2S1/l2YxFM3peLAsRgJOznmJOeG18+y7/kx/3UNqYGY7e8iJQ3Gl +JwDIJp5JCaUOlodjhMJtRc7jn9RcsL97oizXdcryyWT0vSlM9Pie9NtHG5iq5X4+ +oL3X8+OG25MOkF2h3YVCEG3vDu7quyTlHc2ebwpdLZRndcOewO2Cap1ettyWXUPP +Mha6wyJE8LJhrGmrI8Lw+i7gGscP0xYZn3yCLk5BtOabn4dvCiDmb+TPruKQQARw +BG45LEZzGxz+Ad3xRdZyVi1I67v9YShoYTCpMTSxJaR0erH74g== -----END CERTIFICATE----- diff --git a/deps/openssl/openssl/test/certs/alt1-key.pem b/deps/openssl/openssl/test/certs/alt1-key.pem index b5d4d326c5..6df050a38f 100644 --- a/deps/openssl/openssl/test/certs/alt1-key.pem +++ b/deps/openssl/openssl/test/certs/alt1-key.pem @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCwL9V/EvLlKZ40 -2t27+5tYyW21+2wvcO5OE38YlOVy/5txITf/xFASUqGpsurxQuqMv+owPF5qbZVa -2Eqd2ShXY3WYfgsmGSnK7+CUXhdpX0SCDZ+nehIHAKGxkzcHXL+u8bjbTItJngL5 -ioC4zmvyIQhzQvpfLzQycf2vu5sR/sjcTy+pQv5CTI2uqGmJ3ce+FiaTwttiyf3A -qcbKSirKD2GI5NAV/Ub2yjvLOG/Olo8857YbfjaUOCy4fV8D2aINdahhOFCK7FfF -wGMSazBkDWXevXJwjs/L5zlQrMxTmuKlb13gBq9IhZWQF20CXr6Yol2lxzBLfAta -h8aXFvA3AgMBAAECggEAa073DcqQvhq3DSIw4wm/+DfW5nwXzF1QB6XAR0yI453j -IuhEnzcGPeKuLBmZFxDWoptRG8fpCZFs4kPSTomxFGizewlp6O5ykfPAKR2VzMwF -geCiWPL0f+dWlD1Byu4moXsASDE6tL/UuAAvnl+7R2HvL6SfsdGiTQc4qAvvyukM -szks+MePHSlXmL5Eld7HfKgpvxY1SbYOQU0aPXAQAnLaOT931q+tgZMG6nBWN+pu -w5bgKCA26BMAAaUAdIIDEa9fjzkpXjElCT4qhJYVKQn9Pb7aSc4jihSpCknqbb9c -55nW5PWMZJyCbCOUG/SVTblXV+NmhdtwrgUbHImXIQKBgQDcb/7vp+rq06uNx3b4 -AjTZdzCVbHM8gp7b1GkGD0SncrzX6RxPSzNn7d4AUKY065bwa89A+TRwV8DSo7G8 -hxjzdU/FKCg8ce0eqoCtWjIT2r+rV2P9dFhfRT5jdOwHrym8LeSGzANjIBNV7FOf -FIRkQ1BVD0QSPla+26ASqsw60wKBgQDMnEzChQWgAsBelALmGaj/wDdWDUXK8xRg -s7dG1Sx41SLk39SAjCUYXPyy8IHBitJtPZNDp23tR4/m8Ui1pB2T0EnlzBsuzrZ/ -0aCbJnQ08FXE8iVajrgce4ZCdT8vkeH8EVhqDpJIlAhoKy3HaoAr4o2/uRoGDpHZ -iAbDLTEOjQKBgFrp4dXLhkqFNArMShetKUjLLIFj8f7xzDzT1ODH6UO6QYI2xRM6 -65+gbd/pYzMOOvk7LYYZgXQX7RGyq3oaqcK3Dkg88KNFRUtRfLKCMYcYv9YVu8pr -cosQTtPMBBCDQI44yziA6aC3OOJGDpLcbmG/lWEPY762cSZUBCfOw147AoGAd8S+ -AdcPtdwmcrY9BCfdDuea/JoEUon7UaehDqtVvt0z8bk7kIt4Y0x69ttleL8j8aHr -g9yLsisDhvGR2BFa5t0zhHn3J20E0skINAlMWHieHAyJ5PpJtxJvQpOTCutf1sbo -dBxXcHiGe0NbJrGmmQmiY6mcHBOHOEgxfSoE3zkCgYAc+ozIr3xmUcooUeA7uqpd -LvGGqHThGrtXVFIErOIcajC9bHEeZw4Do/oT5L7Wr7pOZ20VUmuRvwytd7IYYTVV -g+nIyKaMttEaCzHEsO0CQUHexOkJbL4rpc3HiK5hIhL8Yo2L/obQgCxYmvyChpo3 -sXJAoFllBNfAK3aanFOR1Q== +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDTqvf6j+WxCtn4 +RU8/6uXXgCTcksv6NDXCZ9JAz4VvcQbJfhFbDWpGZQZDOCqwtj+7CSVIraxItHzP +lrt36cevsoPmpuqGbHrUaOLneme2x81SXUq0z/DmDvwxVENmRj1u7iCt3sL7awci +d4SiotLOY2F1jBazmqprqKZBUiyQXqpSp+9uSav77ydwDXCrQozBdns1YRshgU9o +mQrTcIqHCj1f9Lo+A2y4+TZYZkvSDuUZiTfPTPouR6sopM8JLyAZc+TvFFncEg24 +N+zz3O3jwH82BZEjzavw92J9npJBUXvKb8O9z7UA65WYuL2he7kSQCsPNLoRWZnV +pchwr3VHAgMBAAECggEACPTB+1sdV+lioaulF8pDoWOtq5uWf+a3o5sq/U0Kk1WP ++PSZnWWq6oGZyzxUKhf8CFjxt+qJUKY6Zbo2AnPk3B1MkXTclYV/iP9LIoo+WzCH +EoYaBB6MTd+ycg/jri8oqEnxHgo/681yhtXRyePj0ZHI7OVZjI3tyhJfvoHQmuci +u6qYYUP0GWuyM+kHS11vn6Q1U8nOZWvXpEDXDDdJ7+2QRuv01AXcjFxpbFzkMn2W +JkhKkCTIQpUU66VMRHwNexi+TR2rRESq0G+fa+6gaVFVIs0vBukq48IeC5W21j1L +zyftHxci67FlYC9iaiUxDVt3KB+lcukx6Cz5mjtzqQKBgQD/GrAtFfjiXKj9O5ld +K7dnnBHE8fzyWQWyOfwpVjNAC1J7tgwFvDpBpTHOwS5JnCwMWWM3rkBPRhCusmrF +AtfE8b643G+cJbTgDuEhGh11QR0p9VWMVFQL9kZxx12PegDtFBfzcfcI3XQwKVKL +ZbQn4ibW3BKSt9+Nh3APa0s5iwKBgQDUaTxZBajTdzoDd6Pg3warL5BhsxWr2tUQ +qf+iVoba2Y9NTBdxBht2whSaYweU9kxmeNZvnCu95B8HeRGE69Dxb7IWwpsaxoaf +ND0NcCF7aPZgx7hvhbHF7duzt3nuv+q5sOuuyHPzm+nF2snAuY3Zg+Bpv3nlYekf +18aXZdwStQKBgEpF8e9ei1UUl1sLZC6dUMvIw9+sePHye1cVzNYYM9m8sio0qbFt +ySRdvW+uDRT/dE+wItQOVsj95FOIvM9ZcYr0u4vFGnXDALOPgXqKyPLfn2cc9+hg +kQvei0oLOrFQWz6rcAHAN6WMHIz9KvxNAzPtg1NhRcMT5/Gj8jt7CK7bAoGAIeKz +7OO5Phr8F0eDzkDmGHMbDmr6XxMnAGSOUoCJPOqOMN+dsbsusHBfxw1bTUlJgONw +GhgI5l85EAEhaVoRWCLgfz8GbWwUV9uGjdlAjiZ9f4z9AFWMua2rae0wN4VIVd1C +i/yQeuF5lsXDf8paNcQTDeus74oCHcFXfhmS1S0CgYB2q8E+H0kFHbUxkIZYwhsM +r0lTecn+kVsyPPje2UlzfTwvcC9dFIC4ppCdJGUJAwi/PJnr6xNyOH6I1pjUA8ER +Aofm4Oj2DwX8W+81oO71/RXSfEFUjdOw0H6iRDyvWa1gqftj2/aWjV7Ifdo49thx +EzX/9GdsRInifN6FfOfo/A== -----END PRIVATE KEY----- diff --git a/deps/openssl/openssl/test/certs/badalt6-cert.pem b/deps/openssl/openssl/test/certs/badalt6-cert.pem index fbe040b52c..f41568f6ee 100644 --- a/deps/openssl/openssl/test/certs/badalt6-cert.pem +++ b/deps/openssl/openssl/test/certs/badalt6-cert.pem @@ -1,22 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDljCCAn6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 -IE5DIENBIDEwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMGkxIjAg +MIIDeDCCAmCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 +IE5DIENBIDEwIBcNMTgwNTE2MDMyNjMyWhgPMjExODA1MTcwMzI2MzJaMGkxIjAg BgNVBAoMGUJhZCBOQyBUZXN0IENlcnRpZmljYXRlIDYxFzAVBgNVBAMMDm90aGVy Lmdvb2Qub3JnMRMwEQYDVQQDDApKb2UgQmxvZ2dzMRUwEwYDVQQDDAxhbnkuZ29v -ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKz8F/ndKz0vuv -BymjTUjtrWSQsnsuisR+oW8CIliNBi8yqqeNrtoa2s+e2GBC7gxDlK9IOqGo4Ulu -9jY5On6RysrFWLpK97I7EP9cg63alH+NRFEwczRzErHtYx54yiBjcovcCVeTtdnd -7/P4T8hIGy6QjdW68lzwnN/I9x11NWoipIKvAOGXz0L/WaPPWZ0GJFlBqEX//O3+ -6sweSUX4ivAC9txou3rwDA8kJx5Ge9trQ9dPPG/jpL96f1DLE9H2SkVff1KLTPmb -jUwiYj161lsKLxGkbdmPWRjt1pP4+5UUhioo1Y0WrTd5ELwB1eKTtWsOlRsdLOa8 -1L6m8ngXAgMBAAGjgZgwgZUwHQYDVR0OBBYEFBIKyD5bUUNIFxlQJl/rBvvIm0XZ -MB8GA1UdIwQYMBaAFAjRm/nm1WRwoPFrGp7tUtrd9VBDMAkGA1UdEwQCMAAwSAYD -VR0RBEEwP4IMd3d3Lmdvb2Qub3JnggxhbnkuZ29vZC5jb22BDWdvb2RAZ29vZC5v -cmeBDGFueUBnb29kLmNvbYcEwKgAATANBgkqhkiG9w0BAQsFAAOCAQEAa2lydA7a -YgRhYeIuPEtR+bKyDkIKNjvx2IRL/FL70s/IWFWDK1rpsMYLGNa7rWpW5gq4T6zb -JIwC/770Rw1p+0j9eAC95d2wCEhyNcLdoP4ch7whr0MhxYHUJ8zQGPdQ97DWGoEB -2seLjrhMrX004TM4UlM+lpjsb88QEcD+kOEhdDTKm0ABUygOr1KRay437mtUhAzb -WyUbAjKbhgyv6IFRNHKy6YtCMugPihn+Pd1NY6c2ACRVOAUS/+rvVyjxBCATW5Wk -zAtNIxYgcm3rYRroGYT2BGj8Ic7oqPOWPdGWhsieX0c+y2ZnS727Kwc5tXFfW9By -GH32QmEN5o5jZQ== +ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDl46xhstHmmYhp +XY/FcnQStR4XHtHcNRyvq1perl0fezeCY85KkddGppic5qIWQDL4ViP3HfvhMlDZ +E0tAjEfr8Auac9gpa2IFVJAzMnnzOkhO6cr5kmid4392tNCG5sUWS99t2Z4f9sOP +DQKdoN7lnmxnpZqNf9NUERsN5i4fcvErfQZ4LqV5ld810ZAQZUfarn1rg6/U/ADc +qA0uQgk9RxVgSDt3M5mi8AaC73Be9nAefXQUybzs6J8EfsDijhD85msxs4Fha4pg +gM+bXHv9C7whxM5F2WTeET0cIcAfE3+jzQlkjcjlS1rTEq4d0Pd+1rXkhMwZeze2 +KRL2Le8jAgMBAAGjezB5MB0GA1UdDgQWBBRJJljvheyfKr9neNplhIMIFx25QjAf +BgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa3fVQQzAJBgNVHRMEAjAAMCwGA1Ud +EQQlMCOBDWdvb2RAZ29vZC5vcmeBDGFueUBnb29kLmNvbYcEwKgAATANBgkqhkiG +9w0BAQsFAAOCAQEAPfRFkpkTsPlH54n/i3kxR8Hw17kUOV0/v39fnNzV+PXS/IIU +9OFfP7qNeuoWVQKXCwNWGWYXb7O0LNJMJQWWtyXtzWH3rOSxdSRIrTsCVHA41Lbo +te2nrfnGMtg6em51Do6Kk0JM304sVAWl5OY/eckBmuDgN/5WfZudOLd8Ohv8vZ6U +ZNoSBNpu1x5gfEPywMUGAgbkNZVpzNAfulx3/D2kWk0qwEKqnphUyaXiTVqO49gr +n1LwSVdqBcmapBmEO3puV4TBWFwM49iMMNGn0fp/JBVsLjt+q7TK96qGBo/BSEL+ +e2TXTNpdkn3l+ZK2FYdf7s8fytoe+6o92dN+fA== -----END CERTIFICATE----- diff --git a/deps/openssl/openssl/test/certs/badalt6-key.pem b/deps/openssl/openssl/test/certs/badalt6-key.pem index 203a4c7a00..782d69334a 100644 --- a/deps/openssl/openssl/test/certs/badalt6-key.pem +++ b/deps/openssl/openssl/test/certs/badalt6-key.pem @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDKz8F/ndKz0vuv -BymjTUjtrWSQsnsuisR+oW8CIliNBi8yqqeNrtoa2s+e2GBC7gxDlK9IOqGo4Ulu -9jY5On6RysrFWLpK97I7EP9cg63alH+NRFEwczRzErHtYx54yiBjcovcCVeTtdnd -7/P4T8hIGy6QjdW68lzwnN/I9x11NWoipIKvAOGXz0L/WaPPWZ0GJFlBqEX//O3+ -6sweSUX4ivAC9txou3rwDA8kJx5Ge9trQ9dPPG/jpL96f1DLE9H2SkVff1KLTPmb -jUwiYj161lsKLxGkbdmPWRjt1pP4+5UUhioo1Y0WrTd5ELwB1eKTtWsOlRsdLOa8 -1L6m8ngXAgMBAAECggEBAJNMHK8BAvzTqTPPsfAGu4bTvgxRdKGy609FFAiqxUF3 -UmQsCZEfgwyqCszFPfSeS43xuPRukObE6L6MV4ls8GwWqvp1nKfCClJX3/9jK6tq -2tDQ416a7Wb+FvfgW0tDEg7oLKfcqRyAoQFNuxWHbGDiTQlz2dzzFYkzhlzBDUYH -/pu9qkNFGfYMFwsBUd8pp8zMnv552CCIgalBBFr1hy9q47HBaJPaF2/CjZJmsqkp -rVMBH7+j0y1DW3JO5rSKcRdz+mgEd9m/yQIazvBPJKxeGza8JfLBuACYFLIoO1S+ -b8s/zmQPHeZwTxSsM64M1uYi4dmJy0viozLlWsjrE1ECgYEA/GxGG/lB1mL+Hzmc -kXzWmA2nLPxZXGxMBOYH/n8l4OyDmKi2Bmly7kS0kLdY6gYTVBWFCRcvPxf+UJu9 -x4NcKDkjXVXSg7Muux3Bh1JoRCOKB2Hk3pqdDe55GcT5bSikkd5PYCNobcnqzSK1 -HzKveDdukraZxIPFpVs1VM9/gxMCgYEAza+BJUAEWoq925a1RKlMwdXW1ONBhFqU -fXon15fgycHkiYIBGbGE65Oyz8BwE6jNAT+SwKlNCc6jPAkXvEUpczEi5Rcox8Ec -hNoXBHcBxHEhtfV2VKX5I9JFAadmvnfS5St7HjRLzE2Y6xym1+fKfnAlSLpdb3W2 -eRqVBi3F020CgYEA6K/yrQTHwRX+BdC42JCIzSAA1IJG6eDW7skR43NX+pBr+sTD -DwQTszrYbHLnXst888zmluutXO8EO1Bl0E3yHQ4W4IolhcweLtUOOm0nunA8Y/PE -48MJNfd34N5nw01s7x5Mc2YQdOxmKvVsmzbA9AO9RTdYZgPGpVh/wA+LDssCgYBh -F2+G/ekQNF3awhFfD+vDtAVtCLlsmLVvZbJY+sCJfJU8s7mBP2LXMSk/GD/Ph+b9 -p9zGRSSwdHJpbIFfxeYDEja+nWgKowWrUKd83BBhgmW/Vtc8rfwlBKS+Wx8M2dMb -iqLbZyRAlICSuzumvyu+84EmC5L/gjlYgUvHVuQDIQKBgHH7q3hrKI5mQ0BR9h75 -4yP98c+Duz8IsQllIG0gzCiiOYIVTl3uzTCa/E9Sa+jG+kFsCeUDchmC6LmHdF/Z -ZHfECcQT4B37xMMwvjwNW7E6/FyRx3XC762Fd5vlz3fBuVKburfh1JpfpcO85Wvo -R1UfsJugW9Yetsqd9WB6q3ln +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDl46xhstHmmYhp +XY/FcnQStR4XHtHcNRyvq1perl0fezeCY85KkddGppic5qIWQDL4ViP3HfvhMlDZ +E0tAjEfr8Auac9gpa2IFVJAzMnnzOkhO6cr5kmid4392tNCG5sUWS99t2Z4f9sOP +DQKdoN7lnmxnpZqNf9NUERsN5i4fcvErfQZ4LqV5ld810ZAQZUfarn1rg6/U/ADc +qA0uQgk9RxVgSDt3M5mi8AaC73Be9nAefXQUybzs6J8EfsDijhD85msxs4Fha4pg +gM+bXHv9C7whxM5F2WTeET0cIcAfE3+jzQlkjcjlS1rTEq4d0Pd+1rXkhMwZeze2 +KRL2Le8jAgMBAAECggEBAMcDjTTa2GmYWoZUr+UPizqyvsTnMmg/NoFBhy9WJVne +kpR3kJvvm30XNiEGbCV1GGryL5p7w5UVuPXjhQ7xIkY3feQNC4H361iP93HK7dXJ +i9V9AfGCdLzSuILsT2Wpm88MifUQIpqrRmqtqakKHkyMFG655409rpYlZNVogl9H +vzrTE8rjysNMjP+bpbgkxUJfeATw8OYhEwd9ahj/E0r0r2enYhGEP3j+1zYsGdmM +L2Uy4M+modaAWpZg5pUWpFjxl+V2cSJHdaQc8KYg8Z8RUyzYipFk3YzjP5jtprq5 +dHf9FqlcXk+MtzcYe+x8mIb3uwZhOtdpnUqe5l+GTyECgYEA9j++rS9sajQzMqp0 +p+EptacD/p7A3wldIDGEpPJsSQL+vhcigyn4iPCM1pGWR4iuR7Od9RpQSf3Tfnqc +ZwUJQOpiYpxo1+QlqlBJkDjDRztp+kETZAgzc084ZhwQv9PfYyxa+8layQFhnClt +Z9G0o4AV1povVeQLO5+9CQZQ4VMCgYEA7v4WuydzlLGKppsJEG8vvieR64mjOfO4 +gHBMEYnzEeTZPDvIfEfguM1upJCvt5GXp3huVHCAsFgs6kDjVbpIL1A2HzrMPtOa +MNDSOrpuLcakAgEgx2VFv4TMnA1QKPg3//YCqEqqTJyX0C4OwaADRZJS7YfHp9lg +mpv90baE8PECgYAv3oxulj15F9SsEL7Es9yr11/La4kK0oMr8vRaLFYoi1CCG3U2 +Ej6iQEDgpUSVe1iFz8DxGMBq4dDvUV5+GFiIKggeK1GmRk+cICdsxdwQSNh9MZFX +bNCzpb7M+r+2yrUuTj0RnT7svDwBY3xFJlr7PbcBFNAG3mHgoVjaHEQ0yQKBgHbS +zepvSv/65bzACFmrbklU0zAQVp9RlcIGE0wFEl0rMvbHon5oHkrDmOcpKLRUJtqU +/gXtiY4jyPEPIfhVjd44OzB7w2DZRChRKrUYS/9ma9SzSuDYcT0vgat00w4Lm4wf +fGK//Lvqf3B59cw/CmFkxuZiQ9ooMees9x11adOBAoGBAMdb0r8sAtgh+KTbA8Kq +guIWiknOk6/LYUTuT3fidPIPbErrUQQR9WWHuXjrj2RyHI/RLjYLFamikvhU7PmE +jPjPAo4p1a0WBwrYgjGDIRjTVjbUK282vuYkunGWYfgnZurAyjJCndL/eNZuX2F5 +m1rTfab8O+tOOGKGyzfouD2A -----END PRIVATE KEY----- diff --git a/deps/openssl/openssl/test/certs/badalt7-cert.pem b/deps/openssl/openssl/test/certs/badalt7-cert.pem index b515ba43d9..4fa81b3c6f 100644 --- a/deps/openssl/openssl/test/certs/badalt7-cert.pem +++ b/deps/openssl/openssl/test/certs/badalt7-cert.pem @@ -1,23 +1,22 @@ -----BEGIN CERTIFICATE----- -MIID1DCCArygAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 -IE5DIENBIDEwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMIGmMTsw +MIIDtjCCAp6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 +IE5DIENBIDEwIBcNMTgwNTE2MDMyNzA5WhgPMjExODA1MTcwMzI3MDlaMIGmMTsw OQYDVQQKHjIAQgBhAGQAIABOAEMAIABUAGUAcwB0ACAAQwBlAHIAdABpAGYAaQBj AGEAdABlACAANzElMCMGA1UEAx4cAG8AdABoAGUAcgAuAGcAbwBvAGQALgBvAHIA ZzEdMBsGA1UEAx4UAEoAbwBlACAAQgBsAG8AZwBnAHMxITAfBgNVBAMeGABhAG4A eQAuAGcAbwBvAGQALgBjAG8AbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBANStByWr70u2A49OO+LYu0ivQP+uBu2n3E6RoEYf+op/+JF3clwfMQCGqiSg -QxOJMHkcu4gJDudRLCSXqHPnR0hOd+mQ5wQQJmLj8A99ImcD2oN5R3V5I4bSlXP9 -GCq2pFDnwXuEcJ3d2Dt1HYO4jA4Ol/RBT3NIqmwSnQzXv98mjYFpy6AuAIaYGmbh -1DLWxsTPI2NjNafJYS85NrQDLkTpq48nCmQCJ+ly6Zzu7WuJiDKD1Rxs7ZwgNtLi -Zhp41TeFHxCbfSFKe9u4rnUmImKxwgc9KuzOLpLAzD9avWpPGHtkCsLFsiw/EJYf -UdeCXc7tz9WhXZzOk/ffLOcrorMCAwEAAaOBmDCBlTAdBgNVHQ4EFgQUwYsR1XfZ -2cPcAR7i5i9obalnJcIwHwYDVR0jBBgwFoAUCNGb+ebVZHCg8Wsanu1S2t31UEMw -CQYDVR0TBAIwADBIBgNVHREEQTA/ggx3d3cuZ29vZC5vcmeCDGFueS5nb29kLmNv -bYENZ29vZEBnb29kLm9yZ4EMYW55QGdvb2QuY29thwTAqAABMA0GCSqGSIb3DQEB -CwUAA4IBAQAN/klfzMLi2acp5KdH9UZR4XCk3cZBOuMuI0vU+wrU/ETgY6rFhAwY -gSZsO6vX0mt/G6QfOmY5+kW4FY5XavGhhNVY2x5ATZKvQCf+orIsUHOBxVTjH6az -uEnxGDRTbjXSkBTCTSoOqdJNeOmEwiaHEVy/atumUW2B2KP5FeBGdud/94c4Q9/O -WBJ0EICGF6hYTDra63lAjxyARTvocVakIE8zytT1SbU4yO05mYPyNdXxiXikepFE -phPQWNSLx4EPBIorGCFj7MPDmFCH/+EjDjGz3SNUvqsak6MstzK94KVriQyIHKex -IL5WuKFm0XSGKTX8SzyMGErMGeriveL2 +ggEBAOG4PegItzkmJDwlSA/FyVHWLWUIQrnxgS0KSds3On2CMsjDJ+X77B4s1IPI +yKHuqNbXqV/hJGAxKnZRZe0D6VsmKlYOYpz9QtFxvpo5DwA3q6BTx6sIElFn/lip +Pbu5ZeIMNeN4bot7x5sBobr6OgidAVaAuqQHHJnD7mQ1s22qY0UqkBqNBhhJWOmx +YC0Q56WDi9+C7Cy2+kiiSlT4jCZ8m1K0F7tTK5mF0p4HppXmXLzcecZ/Sw8jOqQK +JM/4UCj/nxWCGYKWkv8zLJtG+ryfZMf15/0Cd1dzHAS9mYU4mFssPdFyT+WFpw7b +K3TOTXkS/tAPbj0xin2wqBJz8m8CAwEAAaN7MHkwHQYDVR0OBBYEFOWYNq+H1LH6 +lZUpgijb/S/sAiDsMB8GA1UdIwQYMBaAFAjRm/nm1WRwoPFrGp7tUtrd9VBDMAkG +A1UdEwQCMAAwLAYDVR0RBCUwI4ENZ29vZEBnb29kLm9yZ4EMYW55QGdvb2QuY29t +hwTAqAABMA0GCSqGSIb3DQEBCwUAA4IBAQAwUxnqq0gBgKmEHIRgZVu10KtOknjt +p/wEcqQ9METvXb+4/a4U6ftjTgaOrPVjamNFlaoUcTgx2nk2zRsjM+e+tpnxDgRR +/yoVB3HsISpdeN70s/WYAgvev/FdV3O+JWhUYHdKrDB4DMfPhlRIfSgOymJljo6+ +wL8qa7lVonF91Im4SCbq4dqtAnbg4ttblQ3yjFfQtuwzyJD/3ism6FQPLbg1K4eu +1Si0EDL4Fct581Gb5D+NU8PYiwg7Nk8ubNlRHXydoVGDLmT0hLE+/IsPd1M8tMqm +sifRl2Is+lGVeg4pPHFjB0npTNkaYafu89dz/3PNRRr5If06B+apk4AX -----END CERTIFICATE----- diff --git a/deps/openssl/openssl/test/certs/badalt7-key.pem b/deps/openssl/openssl/test/certs/badalt7-key.pem index 50557e8968..b453f1ff30 100644 --- a/deps/openssl/openssl/test/certs/badalt7-key.pem +++ b/deps/openssl/openssl/test/certs/badalt7-key.pem @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDUrQclq+9LtgOP -Tjvi2LtIr0D/rgbtp9xOkaBGH/qKf/iRd3JcHzEAhqokoEMTiTB5HLuICQ7nUSwk -l6hz50dITnfpkOcEECZi4/APfSJnA9qDeUd1eSOG0pVz/RgqtqRQ58F7hHCd3dg7 -dR2DuIwODpf0QU9zSKpsEp0M17/fJo2BacugLgCGmBpm4dQy1sbEzyNjYzWnyWEv -OTa0Ay5E6auPJwpkAifpcumc7u1riYgyg9UcbO2cIDbS4mYaeNU3hR8Qm30hSnvb -uK51JiJiscIHPSrszi6SwMw/Wr1qTxh7ZArCxbIsPxCWH1HXgl3O7c/VoV2czpP3 -3yznK6KzAgMBAAECggEADjQ0Kv7tr3fLixGljEP/Vh5mT+02hz7TxueQ9b4DBKcB -We3JVH+8zRUxXdraP/7EnwIdQDuipC5WrWb3mC4VI64h8hZ8Z1gQyEAC83XfC1RF -jsxVynG5vrJnyuRXbdre5Ixl7rLsto5vd6EdxINZz0KIQYbvIHr07tzbYlUyelvA -mu0kYdtbjm2p2AGJJ99zN3EiQ9lZDyiFirOXEA9P/YdKKVlIwpDPbn/TmNY/k6Ul -mRxgAJKwKiR6Gg3QMdTUKeaXBpKf/pa+5rzR7zxNbiQO3IXOVx7ZzQ2R0Wuivpqk -yjMaqUa7dDuvtIHJBpJB7TIL6SlQkiS1lEQFhO7EAQKBgQDz30obdymxqQVy7IsH -NLo5xRX1hRRN9h34Y4qC0JXkCTG1fWJ19KYHod0S5peaIo/ThDVf1UXln6amdCjM -oIfhmo0baNIdMMpxxBdsdLfUKwyVh8qROaBscPE4FGBUrfEW/wSn1WRYcWh+oda3 -LuLVf5Qt9a9f6ZYuy1X6dDi8swKBgQDfQJTSFUNkV8yKfMX54x0DcUkiWOu3LaET -GSu0UXqBVn1Q+u6CUAkh5jA9fpyM5sp9+t5FuwjO+ITHfiNFoD/LCeMUfYVDF7O2 -uCLTsN+7gTGpKMnfL/rg9exrsfDdsmbQe4BhrUFBsYfKgBlBraL0QGD+25qgU8CS -CQ6toGCCAQKBgQDCYJskwRoObPXW4AsAN1qnaRtTkjrY2O6SaGSiV7bhByMD0WiF -M/aR5sXapsj3Jc0Vfi88rzUDDPk7eyJ51wn3G8SUsDuo4Ja7jtxMqctL5PQmyxD+ -J7xiMrNRS4xscifTeHgxfbh5dgsfw8bsQwaxvPpSl5ytCfWWXqOs+K2wWQKBgBM4 -Mher8PNQg7FgcILExJipRgyI7zID4ZwNTK/nW86KrZstHx9k2IRslraUkdGnhMM3 -t671HRsEVhn+h/bUhulp3nzDGZffEH+odocW8QvpYWcYtdha/xQi18mltgC//Q3x -s+m0yqtnJzONt57p3d99M1x9d2BaFXf9A6B68BQBAoGBAOatu9+wGaIEB//fpaQt -mnsS2XBJco5gHTjOegCSNe3gQQsB5mhTEekOeMzJ8WLTMVXQVCXx9/8HxKoycbq8 -M/7ScH1iT/wJTkSsjyeycUgH31GPeRvmo9YU2PsW3NN6ZyNpxWJFdcPYHAzZqJeA -cZtQWiEyaf026DdR8YBYn6tf +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDhuD3oCLc5JiQ8 +JUgPxclR1i1lCEK58YEtCknbNzp9gjLIwyfl++weLNSDyMih7qjW16lf4SRgMSp2 +UWXtA+lbJipWDmKc/ULRcb6aOQ8AN6ugU8erCBJRZ/5YqT27uWXiDDXjeG6Le8eb +AaG6+joInQFWgLqkBxyZw+5kNbNtqmNFKpAajQYYSVjpsWAtEOelg4vfguwstvpI +okpU+IwmfJtStBe7UyuZhdKeB6aV5ly83HnGf0sPIzqkCiTP+FAo/58VghmClpL/ +MyybRvq8n2TH9ef9AndXcxwEvZmFOJhbLD3Rck/lhacO2yt0zk15Ev7QD249MYp9 +sKgSc/JvAgMBAAECggEAZG2cJawTEXtV7ejMii//Jck8g1JMlfzM86Q7Pizxejw+ +qjKiguI2qSpbF5NzKRFNz+E+e+lpTN8zPFd1GSJ/Zk2x0n4uBBlu7E9GdcnjUb5z +Py9njEJYHB4//WS3kdmoag3ywBWqYaceJWpxcga5YXGx0bIO2MJNSGDzpWR7Q9QQ +tG/lWmno5goY2BxI08BTKSlqNIBkg/rr9jJo3axRcEmbx7hj4vUkAlypFKtmR4dW +bNo0f6VAd5Y6c9YbnKybR/44lScBksuSkZjm076cbbbp5PpsiLGe/12bqUcwCH+T +8hRVndmOLdOxC11OZOvMbX6x2uXNh3/Qr/GMyfzZcQKBgQD4we7E9vOygk1J5Vbl +1zETR9x3dujpBBx3xaHXUSJNUTNwmnZ+0JoFTqPkRmmPMNK7XfZuPymBehtk8WYt +NnezM2UNTdbfVOnJWnU6igRNGBaDW6F9AezlADBNwIbFVw6RqP4fTUFsmm9TQ/8M +4kZmmlW4uLZyX0WQO+AJa7NShwKBgQDoSpnQgmWqXMcaHwY2l8fEDuDc41nDoJIm +/CMppPbr7GkUX4OU785p6E0N0o1ONt+xCBT1lxHwWEeMAKZXrNC1XGpfvhpVZ72v +VruATDFs1rcL3S2Sty7A+jhFKKXlGeDWNcpaKY8nDvv2uJG0+J3bLprdMqnY/gQ1 +C+FzyQ6S2QKBgDnHIaRSD6xoo3cEc7iS0O0/ha+hyNtGfy46kyqlx6fZsm73EYrG +/N86ssp0qFP/7RJj8rcMqKFQMUiy4R6jRg4zY8dBSyU4XczM2+mq4PDfJWuBPvMA +HXvbHV0R2LvBSrr+W3f9w7Jr9GuMoZLmg5+VPU/YZ1gNVOT5Y0IM5+vFAoGBANx9 +CzlGvLeTrw1VS3GAaobn1Hr2dlrhTDki9UFvK03PLgK/ksdJRLV0YcdwBt6p6XRB +hpuC1O087lSuvTXVfJnZacMNUDOm7/7BpeJm8DcuK7tgKwTrSb61A7ppleY7xRWv +Iy6n6hCaAYIzuWJ85mGJAEhb8apdmqK7bzmXK3UpAoGBALdOvJfqbF0YlHbdQCVi +ftjtxs/dZKdF1rNARR0VMqUtZX+WP2b6OPXlwux94Cr//iNv5ih3B4Z4LIgTpgBJ +AKGXEBGMMthAlptC4BcOAEs9cYeWGLAoYk8jpNmXvXjhGqvzhPO2YrX5xy46dVOG +iiCseyA7Kr8Axt9QhUzoi5f7 -----END PRIVATE KEY----- diff --git a/deps/openssl/openssl/test/certs/badcn1-cert.pem b/deps/openssl/openssl/test/certs/badcn1-cert.pem new file mode 100644 index 0000000000..3b3bad658b --- /dev/null +++ b/deps/openssl/openssl/test/certs/badcn1-cert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQDCCAiigAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 +IE5DIENBIDEwIBcNMTgwNTE2MDI0MTMyWhgPMjExODA1MTcwMjQxMzJaME4xIzAh +BgNVBAoMGkdvb2QgTkMgVGVzdCBDZXJ0aWZpY2F0ZSAxMRUwEwYDVQQDDAx3d3cu +Z29vZC5vcmcxEDAOBgNVBAMMB2JhZC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDN9WI6OyxnW+R98FqrWwMo3JE165bRB8iQOdDP3xE1+bvUMDYh +8wFR9gfNrKhqXubJ3lCHKgaApTXNKM/jwrT/pqhF6iNfPIbKAMTT4VZPy4/eI45R +03Yn+dJnZLDz7BDpnuhORp8XzQqfxSGBX0Rdr17xYOwGHcruwoitRyS/w8p8EKos +/LIDvjzye5GaPXqXkAkcBcLBpWlgMm+j8xE+LzGw1NVw8vWMSpP2WX9kp7aPbh+A +jSbT522yHy1r6WeElbSY7WOFvnmgbZ19pUdyz8CN6KKb87dBA0joyWSly5ZsNbjh +/YuRhCgRExvdQ6kImwdKAfO7RLkxho6jny1HAgMBAAGjXjBcMB0GA1UdDgQWBBT5 +fenRjyFKUb1XvUnm4GV9kZmONDAfBgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa +3fVQQzAJBgNVHRMEAjAAMA8GA1UdEQQIMAaHBMCoAAEwDQYJKoZIhvcNAQELBQAD +ggEBACKtfZCcP/pY8Bu+lb/pGZj5txsmNbJ1l2RVACQA7CGjwfUr7VaQGMuT+FuA +Erlh+UnEC3R/e1xQwgJeuAXBOWFkxA61isVSrmM7YM6vDB0+t8N9lMUFjPbRyEkM +A5kaSLPrgSOg7ONsO6YGbaWm1XCoUC6Ilrdzy+ckzklgjYRth99b2d5WrjIxEWIq +BX2DI2ruetjXYGRzsqSK+O9d4fsqrb5M0ZCNWQZ4WnrMNaAeHWpW6NqSvof/N21x +WC5zcU7GXLrDigwWPMDLQhVtu4OihWjsqugh6Jl7DxDBhi8JKO6tJQAISHjKaL98 +yXZFsQ//q7ATwlcHyB81B+X16AI= +-----END CERTIFICATE----- diff --git a/deps/openssl/openssl/test/certs/badcn1-key.pem b/deps/openssl/openssl/test/certs/badcn1-key.pem new file mode 100644 index 0000000000..dbcf4b5d44 --- /dev/null +++ b/deps/openssl/openssl/test/certs/badcn1-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDN9WI6OyxnW+R9 +8FqrWwMo3JE165bRB8iQOdDP3xE1+bvUMDYh8wFR9gfNrKhqXubJ3lCHKgaApTXN +KM/jwrT/pqhF6iNfPIbKAMTT4VZPy4/eI45R03Yn+dJnZLDz7BDpnuhORp8XzQqf +xSGBX0Rdr17xYOwGHcruwoitRyS/w8p8EKos/LIDvjzye5GaPXqXkAkcBcLBpWlg +Mm+j8xE+LzGw1NVw8vWMSpP2WX9kp7aPbh+AjSbT522yHy1r6WeElbSY7WOFvnmg +bZ19pUdyz8CN6KKb87dBA0joyWSly5ZsNbjh/YuRhCgRExvdQ6kImwdKAfO7RLkx +ho6jny1HAgMBAAECggEBAKDxiUHx7cATShm0ElZnd6+dtQfKwv8zsuIpm+hk62Ef +d0zYI+UhrT1sIiryKmV9JaJITOtixtQOxl088D+Obrx8cnC4B84rUTVXpnfgVf9j +FljDtjpxIZsZmPbc836ZUZoOaICKpVYHD69Mb+NWG+mN2oaLc8VP0L4FXKLzvl7u +69NQlTPG2CS61BktVqMtWWc/9CvdOwqwVbckyISj9QLUgSXIyB4IP3bjp0RYSpOu +m3nhuhil1G3c05R4UfiE2d9Er7SBBoQ304ld892YRinSgtZqC1G25uZmWJ3ekAAM +bg6P0hBd86F/G2TxNdelYrxTazjqZShYi1N48SK6kUECgYEA+51O19Q5XkskD/Dn +VfaCjSOTFwDlb5ATmVCrJu+13/5IJfmJgWA6xdqfWoqxSOsJzXBEETKWgkahoo4K +OU1UaBTHEJ588xOpoMzbJkKlb5hPseEQsvu055Ky0euMgmlrALPQQ9e1DUSlowui +Cq9wCak4dqq9NNs6FMIeGhqczGECgYEA0YxcajJFxPHJsdFCVa4tdy9jgfC64t4Y +CWDzRfUnuX24ILbW9+olvvoZkMSzoVpiQ9YU8kPJUaOyFrw6jUV5GRHUCMgfkx2Y +nqe+7aSFmv0Nlo0RMV2PqaOZzlxnG9FzyNE+4PygZqtFhN21b5Idc69k2Ltu7K4J +J4MG1kMUGqcCgYEA0ttUPEisPtoHgZhntUFczHx4gnmMzH5X/k5876dIqkrFGZXR +5urGthHtIwpBYZMeZtxjHmpfeRNJ1xjjdnvYdVScMdAvc+ERcSDbsmd9jlR8zNuI +jAWl576nPoX//TXspu0JZiE5p8HUcRuJkxzMbjwyhje1Ubs6JDU81rFgn2ECgYAG +3WVNqVX1zMIBzEwzCGC+7dOBt0Q4GHSLIhz2JsDlZ8P3dmX2ezo/Vmwt/POxjod3 +l3TaNvRKc2VrL0FvzV3ZP2dF3mCCbk7Iq9AqcuBZon6mdvqgNmN1eEGarBZIqAT2 +CDzaHAyZMHU3lBfUjuHeH1nba9CHenAcVkOME2h+MwKBgQDiHAnTK4ovCNmT5E9i +03x/wPSH8FZ3Wrb1GMtNlTc7lOtB5eYIvwkaloJkNKHbUDv57V66hnYT6CyH4u45 +dPtuohtafL9mdScYqmicGLtbLLglSQpJYt4J59hffNZ30E84dKXtyDN7E5P5Z00Z +8PbOMUy3oK6j+GMP/xRNI76RtA== +-----END PRIVATE KEY----- diff --git a/deps/openssl/openssl/test/certs/goodcn1-cert.pem b/deps/openssl/openssl/test/certs/goodcn1-cert.pem new file mode 100644 index 0000000000..d9205e03b0 --- /dev/null +++ b/deps/openssl/openssl/test/certs/goodcn1-cert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDkTCCAnmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 +IE5DIENBIDEwIBcNMTgwNTE2MDI0MDA0WhgPMjExODA1MTcwMjQwMDRaMIGeMSMw +IQYDVQQKDBpHb29kIE5DIFRlc3QgQ2VydGlmaWNhdGUgMTEVMBMGA1UEAwwMd3d3 +Lmdvb2Qub3JnMRUwEwYDVQQDDAxhbnkuZ29vZC5jb20xETAPBgNVBAMMCG5vdC4u +ZG5zMRAwDgYDVQQDDAdub3RAZG5zMREwDwYDVQQDDAhub3QtLmRuczERMA8GA1UE +AwwIbm90LmRucy4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDigxI +nlYVjHtrFI+Iv/3b0jeZbs1jVnPF6ZREk46BTNAVNZsq24jKFG6yK4n9vKA/JuS7 +jZe+gMX+sWh/S1IlsNDY8/Io1UsG/s1tmsvE2UrURUX4s8HnqB6AZ4Y9Cp4rSADe +mD/YdekRf3HFA0IKQvIFRkpegj8uuWwILC0n/ozMNUlNmxCBlOmtFwjFxmNr9Txa +ZeFvWvvc6oTubAETK4HcjLdimx1tePdd4+0mxJ/akQ3wVzUAI2ysijMmMJDzTxLs +FPkw4yUtJHK0/H2yJtpoJ4wQjsWd6a8F7wY/pHszAud1M8QZJKQDzkJOMnqLKNLT +OKw6dm1UG2J7iuqtAgMBAAGjXjBcMB0GA1UdDgQWBBSTKvqap2ab0z/UPrdDgc0V +m88R3TAfBgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa3fVQQzAJBgNVHRMEAjAA +MA8GA1UdEQQIMAaHBMCoAAEwDQYJKoZIhvcNAQELBQADggEBADcdm62qaOHbIDoa +5oUjXGHSQjV1g4BFe6DLH5/CZ0wOws3QzfQbPIxJrp3yJgDcQyZNOE/xQlq/nASS +thU6cUTB07voFVnbotB8YQuNU1wM9TAJOHC9LT1Y0J2GIP6QeXts6Cz6aBlqaQEZ +IrGRLuKVZePTO0Haup0mZ91XoXs3CBzkSerl0XpFL7BeugSigrhprFRPB4UC3IWb +pdNar61Wk4bN/COb6utRkK3iYk5YUTqYFib9EG4VBdxYfXv/tiBIGqQLnqPbId6w +q+McpSEPF1DIcCyL0vEDdIVN0SzxMfnfHMx0Qp0sh2aydIZk4xfEqXHZgZthSrse +u7nhn7s= +-----END CERTIFICATE----- diff --git a/deps/openssl/openssl/test/certs/goodcn1-key.pem b/deps/openssl/openssl/test/certs/goodcn1-key.pem new file mode 100644 index 0000000000..2ad660c6db --- /dev/null +++ b/deps/openssl/openssl/test/certs/goodcn1-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDDigxInlYVjHtr +FI+Iv/3b0jeZbs1jVnPF6ZREk46BTNAVNZsq24jKFG6yK4n9vKA/JuS7jZe+gMX+ +sWh/S1IlsNDY8/Io1UsG/s1tmsvE2UrURUX4s8HnqB6AZ4Y9Cp4rSADemD/YdekR +f3HFA0IKQvIFRkpegj8uuWwILC0n/ozMNUlNmxCBlOmtFwjFxmNr9TxaZeFvWvvc +6oTubAETK4HcjLdimx1tePdd4+0mxJ/akQ3wVzUAI2ysijMmMJDzTxLsFPkw4yUt +JHK0/H2yJtpoJ4wQjsWd6a8F7wY/pHszAud1M8QZJKQDzkJOMnqLKNLTOKw6dm1U +G2J7iuqtAgMBAAECggEAeQ1xZVOAf36kuTnVUhdplTii6v3JcQIIUjG0dG/U/P8M +otS45uNZ36CelvaVStwHaJEvcVzK4EjgSjiSNJvwkxzPbkA3XkgNVptPmdcG5yqO +RLNOChVeqYdOurdcR1XXbXv57dPbUqpMS2TWjdzieW/QXKuTRsbjTo3D75tJqUO6 +1Bm4sSM3PogmsQwTP8HlZAmJXuSD+ZSB22Np5pT1dn5TvQU6xeA3NJR4ZO/HEZz4 +CHJEiOx2BuGD6M0V1ZL6DzEsyIS/KKsvj4I2F4ROAK1j3lSD5VqrYPXn3oEsQdlm +OW8aVnHPYO6FI0LVLgcIEKxhdwGV3i6v/GRUe0Y9kQKBgQD0Zqn1trAuP5Peiy1K +Wc91yRjQxQTwSD00hzXMtvKzkEIiLEuVZq9qrqQ2TRRa5xneDGHDuUY9eZY8JwEr +l7f8CcfYC93PXLyRM2Gaz0jMxZxVPz5w7zssK3DZ+7JvH3nKkCUl7+Y0tH26qTO0 +wTD9w9jd9bf85SLVgk3zSbUDwwKBgQDM0b2ffZpxyA16h7w8ZBuk1Z+iumrxnn5/ +lKtffR2b4dZN37KiWw2c265vYhRfe/ANnVuagXb9aRM97yeQloRlWR10AaXJz3EB +sromqFShkorYRhwZoRiJC0laLG3W76wKMRr2T6TM1UG9gJ0szdGFG/yUDU+9pTRo +uq514rGgzwKBgQCGtsAgLF7YXzsGg/im7vInnn0LNk4OlAMInS7OdFk7GN0bMQdI +hp1SVIk3VS1PHetoNbL9y3YoFIj3BxjiCnLjfhClyYSt9BQMhSHbzz31gUc2xfGJ +FpSrOBawUMh97/+V4/ZV/vIJQyO6a+GQVJzIg9daIUMVJsgYoAaPf6VDOQKBgFyH +eHnf/XDfpq8vOOuzcgWieG7EduHW72DlohIObNzqRq2BnKraJakyWXh6P6fvTsBn +0WVYjY/n80hsjVw1k3RRsQuiXupv66aPvqcOLsWbdVxFOBaf/3yR+75gCfMq7Xbh +PkP+MP5UbVGWE+uUw821mgKsjNSpGKcjhwM8uXBjAoGAFEU3O8gQXfocVB8lxUeU +c0inLdAIgiw/36NPuW4NwKxzLOmHzlmvn7C98ihnbnGoQ0XBRfLw8siTbD3INgHY +NA0JeK8Qrt56b6wK14w9RzLQTu9gy1pULW21p1wswdNK4tlxfnnnozISZAYxeqAx +YMTtYZN77nb+yY4oE6XEugQ= +-----END PRIVATE KEY----- diff --git a/deps/openssl/openssl/test/certs/setup.sh b/deps/openssl/openssl/test/certs/setup.sh index 7e1086a224..018e5fc690 100755 --- a/deps/openssl/openssl/test/certs/setup.sh +++ b/deps/openssl/openssl/test/certs/setup.sh @@ -241,15 +241,30 @@ NC="$NC excluded;DNS:bad.ok.good.com" NC=$NC ./mkcert.sh genca "Test NC sub CA" ncca3-key ncca3-cert \ ncca1-key ncca1-cert -# all subjectAltNames allowed by CA1. +# all subjectAltNames allowed by CA1. Some CNs are not! ./mkcert.sh req alt1-key "O = Good NC Test Certificate 1" \ - "1.CN=www.good.org" "2.CN=Joe Bloggs" "3.CN=any.good.com" | \ + "1.CN=www.example.net" "2.CN=Joe Bloggs" | \ ./mkcert.sh geneealt alt1-key alt1-cert ncca1-key ncca1-cert \ "DNS.1 = www.good.org" "DNS.2 = any.good.com" \ "email.1 = good@good.org" "email.2 = any@good.com" \ "IP = 127.0.0.1" "IP = 192.168.0.1" +# all DNS-like CNs allowed by CA1, no DNS SANs. + +./mkcert.sh req goodcn1-key "O = Good NC Test Certificate 1" \ + "1.CN=www.good.org" "2.CN=any.good.com" \ + "3.CN=not..dns" "4.CN=not@dns" "5.CN=not-.dns" "6.CN=not.dns." | \ + ./mkcert.sh geneealt goodcn1-key goodcn1-cert ncca1-key ncca1-cert \ + "IP = 127.0.0.1" "IP = 192.168.0.1" + +# Some DNS-like CNs not permitted by CA1, no DNS SANs. + +./mkcert.sh req badcn1-key "O = Good NC Test Certificate 1" \ + "1.CN=www.good.org" "3.CN=bad.net" | \ + ./mkcert.sh geneealt badcn1-key badcn1-cert ncca1-key ncca1-cert \ + "IP = 127.0.0.1" "IP = 192.168.0.1" + # no subjectAltNames excluded by CA2. ./mkcert.sh req alt2-key "O = Good NC Test Certificate 2" | \ @@ -293,19 +308,17 @@ NC=$NC ./mkcert.sh genca "Test NC sub CA" ncca3-key ncca3-cert \ "email.1 = good@good.org" "email.2 = any@good.com" \ "IP = 127.0.0.2" -# all subject alt names OK but subject CN not allowed by CA1. +# No DNS-ID SANs and subject CN not allowed by CA1. ./mkcert.sh req badalt6-key "O = Bad NC Test Certificate 6" \ "1.CN=other.good.org" "2.CN=Joe Bloggs" "3.CN=any.good.com" | \ ./mkcert.sh geneealt badalt6-key badalt6-cert ncca1-key ncca1-cert \ - "DNS.1 = www.good.org" "DNS.2 = any.good.com" \ "email.1 = good@good.org" "email.2 = any@good.com" \ "IP = 127.0.0.1" "IP = 192.168.0.1" -# all subject alt names OK but subject CN not allowed by CA1, BMPSTRING +# No DNS-ID SANS and subject CN not allowed by CA1, BMPSTRING REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \ "1.CN=other.good.org" "2.CN=Joe Bloggs" "3.CN=any.good.com" | \ ./mkcert.sh geneealt badalt7-key badalt7-cert ncca1-key ncca1-cert \ - "DNS.1 = www.good.org" "DNS.2 = any.good.com" \ "email.1 = good@good.org" "email.2 = any@good.com" \ "IP = 127.0.0.1" "IP = 192.168.0.1" diff --git a/deps/openssl/openssl/test/ct/log_list.conf b/deps/openssl/openssl/test/ct/log_list.conf index 3724599a9d..4b68e53558 100644 --- a/deps/openssl/openssl/test/ct/log_list.conf +++ b/deps/openssl/openssl/test/ct/log_list.conf @@ -35,3 +35,4 @@ key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEluqsHEYMG1XcDfy1lCdGV0JwOmkY4r87xNuroP [venafi] description = Venafi log key = MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAolpIHxdSlTXLo1s6H1OCdpSj/4DyHDc8wLG9wVmLqy1lk9fz4ATVmm+/1iN2Nk8jmctUKK2MFUtlWXZBSpym97M7frGlSaQXUWyA3CqQUEuIJOmlEjKTBEiQAvpfDjCHjlV2Be4qTM6jamkJbiWtgnYPhJL6ONaGTiSPm7Byy57iaz/hbckldSOIoRhYBiMzeNoA0DiRZ9KmfSeXZ1rB8y8X5urSW+iBzf2SaOfzBvDpcoTuAaWx2DPazoOl28fP1hZ+kHUYvxbcMjttjauCFx+JII0dmuZNIwjfeG/GBb9frpSX219k1O4Wi6OEbHEr8at/XQ0y7gTikOxBn/s5wQIDAQAB + diff --git a/deps/openssl/openssl/test/danetest.in b/deps/openssl/openssl/test/danetest.in index c94f526aab..0cedf10a2a 100644 --- a/deps/openssl/openssl/test/danetest.in +++ b/deps/openssl/openssl/test/danetest.in @@ -26,7 +26,7 @@ # 3 1 0 3059301306072A8648CE3D020106082A8648CE3D03010703420004664995F47BDE35E7B4DE48B258E9E8A07ADEBBDB863B3D06F481A1946C83DA9F56CFF4D9389B855D2F364B1585B0C734FCFA263026964FF5A4308B3FC879BDB8 # 3 1 1 3111668338043DE264D0256A702248696C9484B6221A42740F920187B4C61838 # 3 1 2 CB861AF6DDED185EE04472A9092052CCC735120C34785E72C996C94B122EBA6F329BE630B1B4C6E2756E7A75392C21E253C6AEACC31FD45FF4595DED375FAF62 -# -- +# -- # subject= CN = Issuer CA # 2 0 0 308201683082010DA003020102020102300A06082A8648CE3D04030230123110300E06035504030C07526F6F742043413020170D3135313231333233323030395A180F33303135303431353233323030395A30143112301006035504030C094973737565722043413059301306072A8648CE3D020106082A8648CE3D030107034200047D4BAE18B49F5DC69D0A3C85C66A3E2119DE92CFAD081FAD55C12D510EC97B6C00E13695A8D9713548FE60DF15573390433E2A1BD92DB4B7AA016EC6185DC5AFA350304E301D0603551D0E041604147AB75A3CD295CA5DF7C5150916E18FF5CC376A15301F0603551D23041830168014E4BD405F052A820DDF9883F93D7D3F90AAEC723F300C0603551D13040530030101FF300A06082A8648CE3D0403020349003046022100831DCD882DA8785D50E41020898C0248879DDDF72D701D1DC1DE6BE08155B43E022100B84B2FB519C4CD3CBC791603D4488F7707597DB7980D9C173E7FDD0ECD7CA308 # 2 0 1 0DAA76425A1FC398C55A643D5A2485AE4CC2B64B9515A75054722B2E83C31BBD diff --git a/deps/openssl/openssl/test/errtest.c b/deps/openssl/openssl/test/errtest.c new file mode 100644 index 0000000000..df4cddb096 --- /dev/null +++ b/deps/openssl/openssl/test/errtest.c @@ -0,0 +1,40 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <openssl/opensslconf.h> +#include <openssl/err.h> + +#include "testutil.h" + +#if defined(OPENSSL_SYS_WINDOWS) +# include <windows.h> +#else +# include <errno.h> +#endif + +/* Test that querying the error queue preserves the OS error. */ +static int preserves_system_error(void) +{ +#if defined(OPENSSL_SYS_WINDOWS) + SetLastError(ERROR_INVALID_FUNCTION); + ERR_get_error(); + return GetLastError() == ERROR_INVALID_FUNCTION; +#else + errno = EINVAL; + ERR_get_error(); + return errno == EINVAL; +#endif +} + +int main(int argc, char **argv) +{ + ADD_TEST(preserves_system_error); + + return run_tests(argv[0]); +} diff --git a/deps/openssl/openssl/test/evp_test.c b/deps/openssl/openssl/test/evp_test.c index 4bea4ea2b9..ea9455374f 100644 --- a/deps/openssl/openssl/test/evp_test.c +++ b/deps/openssl/openssl/test/evp_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1592,19 +1592,19 @@ static int pderive_test_run(struct evp_test *t) struct pkey_data *kdata = t->data; unsigned char *out = NULL; size_t out_len; - const char *err = "INTERNAL_ERROR"; + const char *err = "DERIVE_ERROR"; - out_len = kdata->output_len; + if (EVP_PKEY_derive(kdata->ctx, NULL, &out_len) <= 0) + goto err; out = OPENSSL_malloc(out_len); if (!out) { fprintf(stderr, "Error allocating output buffer!\n"); exit(1); } - err = "DERIVE_ERROR"; if (EVP_PKEY_derive(kdata->ctx, out, &out_len) <= 0) goto err; err = "SHARED_SECRET_LENGTH_MISMATCH"; - if (out_len != kdata->output_len) + if (kdata->output == NULL || out_len != kdata->output_len) goto err; err = "SHARED_SECRET_MISMATCH"; if (check_output(t, kdata->output, out, out_len)) @@ -2169,3 +2169,4 @@ static const struct evp_test_method keypair_test_method = { void_test_parse, keypair_test_run }; + diff --git a/deps/openssl/openssl/test/evptests.txt b/deps/openssl/openssl/test/evptests.txt index 83c6c6a3a9..269684e11b 100644 --- a/deps/openssl/openssl/test/evptests.txt +++ b/deps/openssl/openssl/test/evptests.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -15,7 +15,7 @@ # Which is currently unsupported by OpenSSL. They were generated using the # reference implementation. RFC7693 also mentions the 616263 / "abc" values. Digest = BLAKE2s256 -Input = +Input = Output = 69217a3079908094e11121d042354a7c1f55b6482ca1a51e1b250dfd1ed0eef9 Digest = BLAKE2s256 @@ -51,7 +51,7 @@ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223 Output = C80ABEEBB669AD5DEEB5F5EC8EA6B7A05DDF7D31EC4C0A2EE20B0B98CAEC6746 Digest = BLAKE2b512 -Input = +Input = Output = 786a02f742015903c6c6fd852552d272912f4740e15847618a86e217f71f5419d25e1031afee585313896444934eb04b903a685b1448b755d56f701afe9be2ce Digest = BLAKE2b512 @@ -19144,6 +19144,35 @@ PeerKey=KAS-ECC-CDH_B-571_C24-Peer-PUBLIC Ctrl=ecdh_cofactor_mode:1 SharedSecret=02da266a269bdc8d8b2a0c6bb5762f102fc801c8d5394a9271539136bd81d4b69cfbb7525cd0a983fb7f7e9deec583b8f8e574c6184b2d79831ec770649e484dc006fa35b0bffd0b +# for cofactor-order points, ECC CDH (co-factor ECDH) should fail. Test that. + +PrivateKey=ALICE_cf_sect283k1 +-----BEGIN PRIVATE KEY----- +MIGQAgEAMBAGByqGSM49AgEGBSuBBAAQBHkwdwIBAQQkAHtPwRfQZ9pWgSctyHdt +xt3pd8ESMI3ugVx8MDLkiVB8GkCRoUwDSgAEA+xpY5sDcgM2yYxoWOrzH7WUH+b3 +n68A32kODgcKu8PXRYEKBH8Xzbr974982ZJW1sGrDs+P81sIFH8tdp45Jkr+OtfM +8uKr +-----END PRIVATE KEY----- + +PublicKey=ALICE_cf_sect283k1_PUB +-----BEGIN PUBLIC KEY----- +MF4wEAYHKoZIzj0CAQYFK4EEABADSgAEA+xpY5sDcgM2yYxoWOrzH7WUH+b3n68A +32kODgcKu8PXRYEKBH8Xzbr974982ZJW1sGrDs+P81sIFH8tdp45Jkr+OtfM8uKr +-----END PUBLIC KEY----- + +PublicKey=BOB_cf_sect283k1_PUB +-----BEGIN PUBLIC KEY----- +MF4wEAYHKoZIzj0CAQYFK4EEABADSgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB +-----END PUBLIC KEY----- + +PrivPubKeyPair = ALICE_cf_sect283k1:ALICE_cf_sect283k1_PUB + +# ECDH Alice with Bob peer +Derive=ALICE_cf_sect283k1 +PeerKey=BOB_cf_sect283k1_PUB +Ctrl=ecdh_cofactor_mode:1 +Result = DERIVE_ERROR # Test mismatches PrivPubKeyPair = Alice-25519:Bob-25519-PUBLIC diff --git a/deps/openssl/openssl/test/r160test.c b/deps/openssl/openssl/test/r160test.c index 9ed453849e..06033eb91f 100644 --- a/deps/openssl/openssl/test/r160test.c +++ b/deps/openssl/openssl/test/r160test.c @@ -6,3 +6,4 @@ * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ + diff --git a/deps/openssl/openssl/test/recipes/04-test_err.t b/deps/openssl/openssl/test/recipes/04-test_err.t new file mode 100644 index 0000000000..dd7681afa4 --- /dev/null +++ b/deps/openssl/openssl/test/recipes/04-test_err.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_err", "errtest"); diff --git a/deps/openssl/openssl/test/recipes/04-test_pem_data/cert-trailingwhitespace.pem b/deps/openssl/openssl/test/recipes/04-test_pem_data/cert-trailingwhitespace.pem index 99ddf079a4..ab0dfe85b7 100644 --- a/deps/openssl/openssl/test/recipes/04-test_pem_data/cert-trailingwhitespace.pem +++ b/deps/openssl/openssl/test/recipes/04-test_pem_data/cert-trailingwhitespace.pem @@ -1,28 +1,28 @@ -----BEGIN CERTIFICATE----- -MIIEzDCCA7QCCQCgxkRox+YljjANBgkqhkiG9w0BAQsFADCCASYxYzBhBgNVBAgM -WlRoZSBHcmVhdCBTdGF0ZSBvZiBMb25nLVdpbmRlZCBDZXJ0aWZpY2F0ZSBGaWVs -ZCBOYW1lcyBXaGVyZWJ5IHRvIEluY3JlYXNlIHRoZSBPdXRwdXQgU2l6ZTEfMB0G -A1UEBwwWVG9vbWFueWNoYXJhY3RlcnN2aWxsZTFIMEYGA1UECgw/VGhlIEJlbmV2 -b2xlbnQgU29jaWV0eSBvZiBMb3F1YWNpb3VzIGFuZCBQbGVvbmFzdGljIFBlcmlw -aHJhc2lzMT0wOwYDVQQLDDRFbmRvcnNlbWVudCBvZiBWb3VjaHNhZmUnZCBFdmlk -ZW50aWFyeSBDZXJ0aWZpY2F0aW9uMRUwEwYDVQQDDAxjZXJ0LmV4YW1wbGUwHhcN -MTcwMjIzMjAyNTM2WhcNMTcwMzI1MjAyNTM2WjCCASYxYzBhBgNVBAgMWlRoZSBH -cmVhdCBTdGF0ZSBvZiBMb25nLVdpbmRlZCBDZXJ0aWZpY2F0ZSBGaWVsZCBOYW1l -cyBXaGVyZWJ5IHRvIEluY3JlYXNlIHRoZSBPdXRwdXQgU2l6ZTEfMB0GA1UEBwwW -VG9vbWFueWNoYXJhY3RlcnN2aWxsZTFIMEYGA1UECgw/VGhlIEJlbmV2b2xlbnQg -U29jaWV0eSBvZiBMb3F1YWNpb3VzIGFuZCBQbGVvbmFzdGljIFBlcmlwaHJhc2lz -MT0wOwYDVQQLDDRFbmRvcnNlbWVudCBvZiBWb3VjaHNhZmUnZCBFdmlkZW50aWFy -eSBDZXJ0aWZpY2F0aW9uMRUwEwYDVQQDDAxjZXJ0LmV4YW1wbGUwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7MOIrqH+ZIJiZdroKMrelKMSvvRKg2MEg -j/sx9TaHHqrKys4AiL4Rq/ybQEigFC6G8mpZWbBrU+vN2SLr1ZsPftCHIY12LF56 -0WLYTYNqDgF5BdCZCrjJ2hhN+XwML2tgYdWioV/Eey8SJSqUskf03MpcwnLbVfSp -hwmowqNfiEFFqPBCf7E8IVarGWctbMpvlMbAM5owhMev/Ccmqqt81NFkb1WVejvN -5v/JKv243/Xedf4I7ZJv7zKeswoP9piFzWHXCd9SIVzWqF77u/crHufIhoEa7NkZ -hSC2aosQF619iKnfk0nqWaLDJ182CCXkHERoQC7q9X2IGLDLoA0XAgMBAAEwDQYJ -KoZIhvcNAQELBQADggEBAKbtLx+YlCGRCBmYn3dfYF+BIvK/b/e0DKNhDKhb4s9J -ywlJ4qnAB48tgPx0q+ZB+EdMYRqCwyvXJxEdZ7PsCdUeU6xI2ybkhSdUUfQbYem3 -aYRG+yukGzazySQJs8lGqxBlRMFl/FGCg+oSQ/I32eGf8micDskj2zkAJtCkUPHX -30YrWMfOwW1r2xYr2mBNXbNWXJhW/sIg5u8aa9fcALeuQcMXkbsbVoPmC5aLdiVZ -rvUFoJ8DPg0aYYwj64RwU0B5HW/7jKhQ25FgKVAzLGrgYx1DivkM7UQGdWYnU8IA -A8S89gRjGk2hnkeagWas3dxqTTpgJDhprgWzyKa9hII= +MIIEzDCCA7QCCQCgxkRox+YljjANBgkqhkiG9w0BAQsFADCCASYxYzBhBgNVBAgM +WlRoZSBHcmVhdCBTdGF0ZSBvZiBMb25nLVdpbmRlZCBDZXJ0aWZpY2F0ZSBGaWVs +ZCBOYW1lcyBXaGVyZWJ5IHRvIEluY3JlYXNlIHRoZSBPdXRwdXQgU2l6ZTEfMB0G +A1UEBwwWVG9vbWFueWNoYXJhY3RlcnN2aWxsZTFIMEYGA1UECgw/VGhlIEJlbmV2 +b2xlbnQgU29jaWV0eSBvZiBMb3F1YWNpb3VzIGFuZCBQbGVvbmFzdGljIFBlcmlw +aHJhc2lzMT0wOwYDVQQLDDRFbmRvcnNlbWVudCBvZiBWb3VjaHNhZmUnZCBFdmlk +ZW50aWFyeSBDZXJ0aWZpY2F0aW9uMRUwEwYDVQQDDAxjZXJ0LmV4YW1wbGUwHhcN +MTcwMjIzMjAyNTM2WhcNMTcwMzI1MjAyNTM2WjCCASYxYzBhBgNVBAgMWlRoZSBH +cmVhdCBTdGF0ZSBvZiBMb25nLVdpbmRlZCBDZXJ0aWZpY2F0ZSBGaWVsZCBOYW1l +cyBXaGVyZWJ5IHRvIEluY3JlYXNlIHRoZSBPdXRwdXQgU2l6ZTEfMB0GA1UEBwwW +VG9vbWFueWNoYXJhY3RlcnN2aWxsZTFIMEYGA1UECgw/VGhlIEJlbmV2b2xlbnQg +U29jaWV0eSBvZiBMb3F1YWNpb3VzIGFuZCBQbGVvbmFzdGljIFBlcmlwaHJhc2lz +MT0wOwYDVQQLDDRFbmRvcnNlbWVudCBvZiBWb3VjaHNhZmUnZCBFdmlkZW50aWFy +eSBDZXJ0aWZpY2F0aW9uMRUwEwYDVQQDDAxjZXJ0LmV4YW1wbGUwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7MOIrqH+ZIJiZdroKMrelKMSvvRKg2MEg +j/sx9TaHHqrKys4AiL4Rq/ybQEigFC6G8mpZWbBrU+vN2SLr1ZsPftCHIY12LF56 +0WLYTYNqDgF5BdCZCrjJ2hhN+XwML2tgYdWioV/Eey8SJSqUskf03MpcwnLbVfSp +hwmowqNfiEFFqPBCf7E8IVarGWctbMpvlMbAM5owhMev/Ccmqqt81NFkb1WVejvN +5v/JKv243/Xedf4I7ZJv7zKeswoP9piFzWHXCd9SIVzWqF77u/crHufIhoEa7NkZ +hSC2aosQF619iKnfk0nqWaLDJ182CCXkHERoQC7q9X2IGLDLoA0XAgMBAAEwDQYJ +KoZIhvcNAQELBQADggEBAKbtLx+YlCGRCBmYn3dfYF+BIvK/b/e0DKNhDKhb4s9J +ywlJ4qnAB48tgPx0q+ZB+EdMYRqCwyvXJxEdZ7PsCdUeU6xI2ybkhSdUUfQbYem3 +aYRG+yukGzazySQJs8lGqxBlRMFl/FGCg+oSQ/I32eGf8micDskj2zkAJtCkUPHX +30YrWMfOwW1r2xYr2mBNXbNWXJhW/sIg5u8aa9fcALeuQcMXkbsbVoPmC5aLdiVZ +rvUFoJ8DPg0aYYwj64RwU0B5HW/7jKhQ25FgKVAzLGrgYx1DivkM7UQGdWYnU8IA +A8S89gRjGk2hnkeagWas3dxqTTpgJDhprgWzyKa9hII= -----END CERTIFICATE----- diff --git a/deps/openssl/openssl/test/recipes/04-test_pem_data/dsa-trailingwhitespace.pem b/deps/openssl/openssl/test/recipes/04-test_pem_data/dsa-trailingwhitespace.pem index 78ebd1b702..0b5de58c4c 100644 --- a/deps/openssl/openssl/test/recipes/04-test_pem_data/dsa-trailingwhitespace.pem +++ b/deps/openssl/openssl/test/recipes/04-test_pem_data/dsa-trailingwhitespace.pem @@ -2,22 +2,22 @@ Proc-Type: 4,ENCRYPTED DEK-Info: AES-256-CBC,A2A7FA3E5E454B59C8777564E7AF3CD6 -EBDWX0Qfarl+QNsHgCUudLyb6DkC4zyaDU/vUqWyHX0m+8W2bbmT5TexlL3hsM5U -gz7KsGqyjeOuK9QT5LOM4VyK6BgmhqpQaJ1MgCWA/gbBPTgBp2jfp3oS0WC5D6GM -wcsdqoeIpD/wce3k0H2Gfu6+rINBmbITtn4DTf3PkOcDIwdDceN2qkZanloFVriS -3kABUIh1ehYIXQibLRFY5rXdQnhY2CZNrQFIMwl64hK5P5hQbcyJKGDHAYzXV7ou -pdXy5F9oyEd6eA5ix+n1jKFRB7PmApZmuiQjzfExVKmBPGxRzOGT0qR5vLylQhei -SC77nkerawUyjA2QlIa/SmNzXEYkN3goDzHSFKBauB0o5qFc1b1x7dXPCFL0atG5 -UxoRr/Ep7tiab4DZmYEnOGkL2dVN8jA04F+HQGBeP6nDOSKhXRjbUODUpDpDvj+F -Jf77Rv0p48l9ip8i/bquwukXlMed3O4d6rnEwkggdySS5itiShwaVLPf+icI/Yd4 -vcPXDPUHTkj1XmoZ4f1mUF17OtCohsJT7O4oMBBMBwqCkC7enrLaALi9jiKym47g -2bZH05xJPpWXS/kSEkwt/jI+a+o4CuDPly3XhIcYRtsaWBJWiam1OT7sGQ+zkjTG -Aa6NfwbR8ScQC8MzDfVnkJ3VnXjT345bz+F7HTAveQ8a7KGxNntPhE0KVjpl369K -q2TMLyexQARJapabBf/ST9zWP7wxzWfrEbX3OEZCuRDVkwWf18BH/Eh6Lqnqg5QM -4GuX708NiFpiwQt9p/DAuQdhBrP67BxL64CbI7CgW4Lv3z3qnKfFV9zY5/mxCERn -9mPOig2r8WvvXt7ch6nhzBPfCwq0BoPqLKUFgDpeXsNdJ9sW5IV3yi/3Bh98ZBYX -zj8g/7XMo6v998fct+EiHPscuqeYUaoJZ6+Zj7W45nGA9DGsnEmZ0Wux2tTj70mD -oH//21TiRAx6ypPP+Iq2YDzqh7VXc/gssOn/vU1Aj19gzL+MRn1Z55SMrA7nO90m -OgOyEP+uGrXyahfZGPbmpgIx+MTbtfvRtZBsG3EcXyW9NnHJfk4O8xN3hYPWXaBI -o15qB3jYbx1oktbcQPo0hzaNv+PJ5wtT47JLNcbMeMSnwKM8MB4CXlM43RUtKws6 +EBDWX0Qfarl+QNsHgCUudLyb6DkC4zyaDU/vUqWyHX0m+8W2bbmT5TexlL3hsM5U +gz7KsGqyjeOuK9QT5LOM4VyK6BgmhqpQaJ1MgCWA/gbBPTgBp2jfp3oS0WC5D6GM +wcsdqoeIpD/wce3k0H2Gfu6+rINBmbITtn4DTf3PkOcDIwdDceN2qkZanloFVriS +3kABUIh1ehYIXQibLRFY5rXdQnhY2CZNrQFIMwl64hK5P5hQbcyJKGDHAYzXV7ou +pdXy5F9oyEd6eA5ix+n1jKFRB7PmApZmuiQjzfExVKmBPGxRzOGT0qR5vLylQhei +SC77nkerawUyjA2QlIa/SmNzXEYkN3goDzHSFKBauB0o5qFc1b1x7dXPCFL0atG5 +UxoRr/Ep7tiab4DZmYEnOGkL2dVN8jA04F+HQGBeP6nDOSKhXRjbUODUpDpDvj+F +Jf77Rv0p48l9ip8i/bquwukXlMed3O4d6rnEwkggdySS5itiShwaVLPf+icI/Yd4 +vcPXDPUHTkj1XmoZ4f1mUF17OtCohsJT7O4oMBBMBwqCkC7enrLaALi9jiKym47g +2bZH05xJPpWXS/kSEkwt/jI+a+o4CuDPly3XhIcYRtsaWBJWiam1OT7sGQ+zkjTG +Aa6NfwbR8ScQC8MzDfVnkJ3VnXjT345bz+F7HTAveQ8a7KGxNntPhE0KVjpl369K +q2TMLyexQARJapabBf/ST9zWP7wxzWfrEbX3OEZCuRDVkwWf18BH/Eh6Lqnqg5QM +4GuX708NiFpiwQt9p/DAuQdhBrP67BxL64CbI7CgW4Lv3z3qnKfFV9zY5/mxCERn +9mPOig2r8WvvXt7ch6nhzBPfCwq0BoPqLKUFgDpeXsNdJ9sW5IV3yi/3Bh98ZBYX +zj8g/7XMo6v998fct+EiHPscuqeYUaoJZ6+Zj7W45nGA9DGsnEmZ0Wux2tTj70mD +oH//21TiRAx6ypPP+Iq2YDzqh7VXc/gssOn/vU1Aj19gzL+MRn1Z55SMrA7nO90m +OgOyEP+uGrXyahfZGPbmpgIx+MTbtfvRtZBsG3EcXyW9NnHJfk4O8xN3hYPWXaBI +o15qB3jYbx1oktbcQPo0hzaNv+PJ5wtT47JLNcbMeMSnwKM8MB4CXlM43RUtKws6 -----END DSA PRIVATE KEY----- diff --git a/deps/openssl/openssl/test/recipes/15-test_genrsa.t b/deps/openssl/openssl/test/recipes/15-test_genrsa.t index cc74e303f1..766ea4f0aa 100644 --- a/deps/openssl/openssl/test/recipes/15-test_genrsa.t +++ b/deps/openssl/openssl/test/recipes/15-test_genrsa.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -18,9 +18,38 @@ setup("test_genrsa"); plan tests => 5; +# We want to know that an absurdly small number of bits isn't support is(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', '8'])), 0, "genrsa -3 8"); -ok(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', '16'])), "genrsa -3 16"); -ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout'])), "rsa -check"); -ok(run(app([ 'openssl', 'genrsa', '-f4', '-out', 'genrsatest.pem', '16'])), "genrsa -f4 16"); -ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout'])), "rsa -check"); + +# Depending on the shared library, we might have different lower limits. +# Let's find it! This is a simple binary search +# ------------------------------------------------------------ +# NOTE: $good may need an update in the future +# ------------------------------------------------------------ +note "Looking for lowest amount of bits"; +my $bad = 3; # Log2 of number of bits (2 << 3 == 8) +my $good = 11; # Log2 of number of bits (2 << 11 == 2048) +while ($good > $bad + 1) { + my $checked = int(($good + $bad + 1) / 2); + if (run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', + 2 ** $checked ], stderr => undef))) { + note 2 ** $checked, " bits is good"; + $good = $checked; + } else { + note 2 ** $checked, " bits is bad"; + $bad = $checked; + } +} +$good++ if $good == $bad; +$good = 2 ** $good; +note "Found lowest allowed amount of bits to be $good"; + +ok(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', $good ])), + "genrsa -3 $good"); +ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout' ])), + "rsa -check"); +ok(run(app([ 'openssl', 'genrsa', '-f4', '-out', 'genrsatest.pem', $good ])), + "genrsa -f4 $good"); +ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout' ])), + "rsa -check"); unlink 'genrsatest.pem'; diff --git a/deps/openssl/openssl/test/recipes/25-test_verify.t b/deps/openssl/openssl/test/recipes/25-test_verify.t index 11bd43090f..11f54d0486 100644 --- a/deps/openssl/openssl/test/recipes/25-test_verify.t +++ b/deps/openssl/openssl/test/recipes/25-test_verify.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -30,7 +30,7 @@ sub verify { run(app([@args])); } -plan tests => 127; +plan tests => 129; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -326,6 +326,12 @@ ok(verify("alt2-cert", "sslserver", ["root-cert"], ["ncca2-cert"], ), ok(verify("alt3-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), "Name Constraints nested test all permitted"); +ok(verify("goodcn1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), + "Name Constraints CNs permitted"); + +ok(!verify("badcn1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), + "Name Constraints CNs not permitted"); + ok(!verify("badalt1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), "Name Constraints hostname not permitted"); diff --git a/deps/openssl/openssl/test/recipes/60-test_x509_dup_cert.t b/deps/openssl/openssl/test/recipes/60-test_x509_dup_cert.t new file mode 100644 index 0000000000..8e1c313814 --- /dev/null +++ b/deps/openssl/openssl/test/recipes/60-test_x509_dup_cert.t @@ -0,0 +1,19 @@ +#! /usr/bin/env perl +# Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html +# +# ====================================================================== +# Copyright (c) 2017 Oracle and/or its affiliates. All rights reserved. + + +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_x509_dup_cert"); + +plan tests => 1; + +ok(run(test(["x509_dup_cert_test", srctop_file("test", "certs", "leaf.pem")]))); diff --git a/deps/openssl/openssl/test/recipes/60-test_x509_time.t b/deps/openssl/openssl/test/recipes/60-test_x509_time.t new file mode 100644 index 0000000000..e812cd0b26 --- /dev/null +++ b/deps/openssl/openssl/test/recipes/60-test_x509_time.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_x509_time", "x509_time_test"); diff --git a/deps/openssl/openssl/test/recipes/80-test_ca.t b/deps/openssl/openssl/test/recipes/80-test_ca.t index f40aba1d4d..28a090ea7d 100644 --- a/deps/openssl/openssl/test/recipes/80-test_ca.t +++ b/deps/openssl/openssl/test/recipes/80-test_ca.t @@ -56,3 +56,4 @@ sub yes { close PIPE; return 0; } + diff --git a/deps/openssl/openssl/test/recipes/80-test_cipherlist.t b/deps/openssl/openssl/test/recipes/80-test_cipherlist.t index 98d537e5f3..5c1b1d4545 100644 --- a/deps/openssl/openssl/test/recipes/80-test_cipherlist.t +++ b/deps/openssl/openssl/test/recipes/80-test_cipherlist.t @@ -1,6 +1,6 @@ #! /usr/bin/perl # -# Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -12,11 +12,16 @@ use strict; use warnings; use OpenSSL::Test::Simple; -use OpenSSL::Test; +use OpenSSL::Test qw(:DEFAULT openssl_versions); use OpenSSL::Test::Utils qw(alldisabled available_protocols); setup("test_cipherlist"); +my ($build_version, $library_version) = openssl_versions(); +plan skip_all => + "This test recipe isn't supported when doing regression testing" + if $build_version != $library_version; + my $no_anytls = alldisabled(available_protocols("tls")); # If we have no protocols, then we also have no supported ciphers. diff --git a/deps/openssl/openssl/test/recipes/80-test_x509aux.t b/deps/openssl/openssl/test/recipes/80-test_x509aux.t index b4897c5808..65ba5fcf52 100644 --- a/deps/openssl/openssl/test/recipes/80-test_x509aux.t +++ b/deps/openssl/openssl/test/recipes/80-test_x509aux.t @@ -19,7 +19,7 @@ plan skip_all => "test_dane uses ec which is not supported by this OpenSSL build plan tests => 1; # The number of tests being performed -ok(run(test(["x509aux", +ok(run(test(["x509aux", srctop_file("test", "certs", "roots.pem"), srctop_file("test", "certs", "root+anyEKU.pem"), srctop_file("test", "certs", "root-anyEKU.pem"), diff --git a/deps/openssl/openssl/test/recipes/90-test_fuzz.t b/deps/openssl/openssl/test/recipes/90-test_fuzz.t index d152925733..8d3b3541fc 100644 --- a/deps/openssl/openssl/test/recipes/90-test_fuzz.t +++ b/deps/openssl/openssl/test/recipes/90-test_fuzz.t @@ -1,5 +1,5 @@ #!/usr/bin/env perl -# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -26,14 +26,14 @@ plan tests => scalar @fuzzers; foreach my $f (@fuzzers) { subtest "Fuzzing $f" => sub { - my @files = glob(srctop_file('fuzz', 'corpora', $f, '*')); - push @files, glob(srctop_file('fuzz', 'corpora', "$f-*", '*')); + my @dirs = glob(srctop_file('fuzz', 'corpora', $f)); + push @dirs, glob(srctop_file('fuzz', 'corpora', "$f-*")); - plan skip_all => "No corpora for $f-test" unless @files; + plan skip_all => "No corpora for $f-test" unless @dirs; - plan tests => scalar @files; + plan tests => scalar @dirs; - foreach (@files) { + foreach (@dirs) { ok(run(fuzz(["$f-test", $_]))); } } diff --git a/deps/openssl/openssl/test/recipes/90-test_shlibload.t b/deps/openssl/openssl/test/recipes/90-test_shlibload.t index 2bc86fdec5..04d5265890 100644 --- a/deps/openssl/openssl/test/recipes/90-test_shlibload.t +++ b/deps/openssl/openssl/test/recipes/90-test_shlibload.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -20,7 +20,7 @@ use configdata; plan skip_all => "Test only supported in a shared build" if disabled("shared"); -plan tests => 3; +plan tests => 4; my $libcrypto_idx = $unified_info{rename}->{libcrypto} // "libcrypto"; my $libssl_idx = $unified_info{rename}->{libssl} // "libssl"; @@ -35,3 +35,6 @@ ok(run(test(["shlibloadtest", "-ssl_first", $libcrypto, $libssl])), "running shlibloadtest -ssl_first"); ok(run(test(["shlibloadtest", "-just_crypto", $libcrypto, $libssl])), "running shlibloadtest -just_crypto"); +ok(run(test(["shlibloadtest", "-dso_ref", $libcrypto, $libssl])), + "running shlibloadtest -dso_ref"); + diff --git a/deps/openssl/openssl/test/recipes/tconversion.pl b/deps/openssl/openssl/test/recipes/tconversion.pl index e19147b697..1cf68dc09b 100644 --- a/deps/openssl/openssl/test/recipes/tconversion.pl +++ b/deps/openssl/openssl/test/recipes/tconversion.pl @@ -23,7 +23,7 @@ my %conversionforms = ( sub tconversion { my $testtype = shift; my $t = shift; - my @conversionforms = + my @conversionforms = defined($conversionforms{$testtype}) ? @{$conversionforms{$testtype}} : @{$conversionforms{"*"}}; diff --git a/deps/openssl/openssl/test/run_tests.pl b/deps/openssl/openssl/test/run_tests.pl index 889d6dc117..77dffb332b 100644 --- a/deps/openssl/openssl/test/run_tests.pl +++ b/deps/openssl/openssl/test/run_tests.pl @@ -21,7 +21,7 @@ use lib "$FindBin::Bin/../util/perl"; use OpenSSL::Glob; use Module::Load::Conditional qw(can_load); -my $TAP_Harness = can_load(modules => { 'TAP::Harness' => undef }) +my $TAP_Harness = can_load(modules => { 'TAP::Harness' => undef }) ? 'TAP::Harness' : 'OpenSSL::TAP::Harness'; my $srctop = $ENV{SRCTOP} || $ENV{TOP}; diff --git a/deps/openssl/openssl/test/shlibloadtest.c b/deps/openssl/openssl/test/shlibloadtest.c index 25df363f23..d584413ac9 100644 --- a/deps/openssl/openssl/test/shlibloadtest.c +++ b/deps/openssl/openssl/test/shlibloadtest.c @@ -40,6 +40,16 @@ static OpenSSL_version_num_t OpenSSL_version_num; #ifdef DSO_DLFCN +# define DSO_DSOBYADDR "DSO_dsobyaddr" +# define DSO_FREE "DSO_free" + +typedef void DSO; +typedef DSO * (*DSO_dsobyaddr_t)(void (*addr)(void), int flags); +typedef int (*DSO_free_t)(DSO *dso); + +static DSO_dsobyaddr_t DSO_dsobyaddr; +static DSO_free_t DSO_free; + # include <dlfcn.h> typedef void * SHLIB; @@ -108,11 +118,13 @@ static int shlib_close(SHLIB lib) # define CRYPTO_FIRST_OPT "-crypto_first" # define SSL_FIRST_OPT "-ssl_first" # define JUST_CRYPTO_OPT "-just_crypto" +# define DSO_REFTEST_OPT "-dso_ref" enum test_types_en { CRYPTO_FIRST, SSL_FIRST, - JUST_CRYPTO + JUST_CRYPTO, + DSO_REFTEST }; int main(int argc, char **argv) @@ -123,7 +135,7 @@ int main(int argc, char **argv) void (*func) (void); SHLIB_SYM sym; } tls_method_sym, ssl_ctx_new_sym, ssl_ctx_free_sym, err_get_error_sym, - openssl_version_num_sym; + openssl_version_num_sym, dso_dsobyaddr_sym, dso_free_sym; enum test_types_en test_type; int i; @@ -138,6 +150,8 @@ int main(int argc, char **argv) test_type = SSL_FIRST; } else if (strcmp(argv[1], JUST_CRYPTO_OPT) == 0) { test_type = JUST_CRYPTO; + } else if (strcmp(argv[1], DSO_REFTEST_OPT) == 0) { + test_type = DSO_REFTEST; } else { printf("Unrecognised argument\n"); return 1; @@ -145,7 +159,8 @@ int main(int argc, char **argv) for (i = 0; i < 2; i++) { if ((i == 0 && (test_type == CRYPTO_FIRST - || test_type == JUST_CRYPTO)) + || test_type == JUST_CRYPTO + || test_type == DSO_REFTEST)) || (i == 1 && test_type == SSL_FIRST)) { if (!shlib_load(argv[2], &cryptolib)) { printf("Unable to load libcrypto\n"); @@ -161,7 +176,7 @@ int main(int argc, char **argv) } } - if (test_type != JUST_CRYPTO) { + if (test_type != JUST_CRYPTO && test_type != DSO_REFTEST) { if (!shlib_sym(ssllib, TLS_METHOD, &tls_method_sym.sym) || !shlib_sym(ssllib, SSL_CTX_NEW, &ssl_ctx_new_sym.sym) || !shlib_sym(ssllib, SSL_CTX_FREE, &ssl_ctx_free_sym.sym)) { @@ -215,6 +230,38 @@ int main(int argc, char **argv) return 1; } + if (test_type == DSO_REFTEST) { +# ifdef DSO_DLFCN + /* + * This is resembling the code used in ossl_init_base() and + * OPENSSL_atexit() to block unloading the library after dlclose(). + * We are not testing this on Windows, because it is done there in a + * completely different way. Especially as a call to DSO_dsobyaddr() + * will always return an error, because DSO_pathbyaddr() is not + * implemented there. + */ + if (!shlib_sym(cryptolib, DSO_DSOBYADDR, &dso_dsobyaddr_sym.sym) + || !shlib_sym(cryptolib, DSO_FREE, &dso_free_sym.sym)) { + printf("Unable to load crypto dso symbols\n"); + return 1; + } + + DSO_dsobyaddr = (DSO_dsobyaddr_t)dso_dsobyaddr_sym.func; + DSO_free = (DSO_free_t)dso_free_sym.func; + + { + DSO *hndl; + /* use known symbol from crypto module */ + if ((hndl = DSO_dsobyaddr((void (*)(void))ERR_get_error, 0)) != NULL) { + DSO_free(hndl); + } else { + printf("Unable to obtain DSO reference from crypto symbol\n"); + return 1; + } + } +# endif /* DSO_DLFCN */ + } + for (i = 0; i < 2; i++) { if ((i == 0 && test_type == CRYPTO_FIRST) || (i == 1 && test_type == SSL_FIRST)) { @@ -224,7 +271,8 @@ int main(int argc, char **argv) } } if ((i == 0 && (test_type == SSL_FIRST - || test_type == JUST_CRYPTO)) + || test_type == JUST_CRYPTO + || test_type == DSO_REFTEST)) || (i == 1 && test_type == CRYPTO_FIRST)) { if (!shlib_close(cryptolib)) { printf("Unable to close libcrypto\n"); diff --git a/deps/openssl/openssl/test/ssl-tests/01-simple.conf b/deps/openssl/openssl/test/ssl-tests/01-simple.conf index 65c7e5d151..5f4dd841b4 100644 --- a/deps/openssl/openssl/test/ssl-tests/01-simple.conf +++ b/deps/openssl/openssl/test/ssl-tests/01-simple.conf @@ -74,3 +74,5 @@ VerifyMode = Peer [test-2] ExpectedClientAlert = UnknownCA ExpectedResult = ClientFail + + diff --git a/deps/openssl/openssl/test/ssl-tests/02-protocol-version.conf b/deps/openssl/openssl/test/ssl-tests/02-protocol-version.conf index cb737f8072..cb89dbc10a 100644 --- a/deps/openssl/openssl/test/ssl-tests/02-protocol-version.conf +++ b/deps/openssl/openssl/test/ssl-tests/02-protocol-version.conf @@ -9971,3 +9971,5 @@ VerifyMode = Peer [test-360] ExpectedProtocol = TLSv1.2 ExpectedResult = Success + + diff --git a/deps/openssl/openssl/test/ssl-tests/03-custom_verify.conf b/deps/openssl/openssl/test/ssl-tests/03-custom_verify.conf index 65c9005ff8..8dca715e74 100644 --- a/deps/openssl/openssl/test/ssl-tests/03-custom_verify.conf +++ b/deps/openssl/openssl/test/ssl-tests/03-custom_verify.conf @@ -234,3 +234,5 @@ client = 8-verify-custom-fail-no-root-client-extra [8-verify-custom-fail-no-root-client-extra] VerifyCallback = RejectAll + + diff --git a/deps/openssl/openssl/test/ssl-tests/04-client_auth.conf b/deps/openssl/openssl/test/ssl-tests/04-client_auth.conf index bf374039d1..0e91bed9f1 100644 --- a/deps/openssl/openssl/test/ssl-tests/04-client_auth.conf +++ b/deps/openssl/openssl/test/ssl-tests/04-client_auth.conf @@ -588,3 +588,5 @@ VerifyMode = Peer [test-19] ExpectedResult = ServerFail ExpectedServerAlert = UnknownCA + + diff --git a/deps/openssl/openssl/test/ssl-tests/04-client_auth.conf.in b/deps/openssl/openssl/test/ssl-tests/04-client_auth.conf.in index bb7fddb8bc..8738aaa769 100644 --- a/deps/openssl/openssl/test/ssl-tests/04-client_auth.conf.in +++ b/deps/openssl/openssl/test/ssl-tests/04-client_auth.conf.in @@ -119,5 +119,5 @@ sub generate_tests() { } } } - + generate_tests(); diff --git a/deps/openssl/openssl/test/ssl-tests/05-sni.conf b/deps/openssl/openssl/test/ssl-tests/05-sni.conf index 4278cbf85b..e1fb3d9d89 100644 --- a/deps/openssl/openssl/test/ssl-tests/05-sni.conf +++ b/deps/openssl/openssl/test/ssl-tests/05-sni.conf @@ -199,3 +199,5 @@ ServerNameCallback = RejectMismatch [5-SNI-bad-sni-reject-mismatch-client-extra] ServerName = invalid + + diff --git a/deps/openssl/openssl/test/ssl-tests/06-sni-ticket.conf b/deps/openssl/openssl/test/ssl-tests/06-sni-ticket.conf index 9ee9c71fcc..9620e015a1 100644 --- a/deps/openssl/openssl/test/ssl-tests/06-sni-ticket.conf +++ b/deps/openssl/openssl/test/ssl-tests/06-sni-ticket.conf @@ -730,3 +730,5 @@ ServerNameCallback = IgnoreMismatch [16-sni-session-ticket-client-extra] ServerName = server2 + + diff --git a/deps/openssl/openssl/test/ssl-tests/07-dtls-protocol-version.conf b/deps/openssl/openssl/test/ssl-tests/07-dtls-protocol-version.conf index bd9a5db7a2..3304a3bbaa 100644 --- a/deps/openssl/openssl/test/ssl-tests/07-dtls-protocol-version.conf +++ b/deps/openssl/openssl/test/ssl-tests/07-dtls-protocol-version.conf @@ -1816,3 +1816,5 @@ VerifyMode = Peer ExpectedProtocol = DTLSv1.2 ExpectedResult = Success Method = DTLS + + diff --git a/deps/openssl/openssl/test/ssl-tests/08-npn.conf b/deps/openssl/openssl/test/ssl-tests/08-npn.conf index 8b4b5360c0..9115ef458b 100644 --- a/deps/openssl/openssl/test/ssl-tests/08-npn.conf +++ b/deps/openssl/openssl/test/ssl-tests/08-npn.conf @@ -790,3 +790,5 @@ NPNProtocols = baz [19-npn-used-if-alpn-not-supported-resumption-client-extra] ALPNProtocols = foo NPNProtocols = bar,baz + + diff --git a/deps/openssl/openssl/test/ssl-tests/08-npn.conf.in b/deps/openssl/openssl/test/ssl-tests/08-npn.conf.in index 7965992244..bcb632f051 100644 --- a/deps/openssl/openssl/test/ssl-tests/08-npn.conf.in +++ b/deps/openssl/openssl/test/ssl-tests/08-npn.conf.in @@ -237,7 +237,7 @@ our @tests = ( test => { "ExpectedALPNProtocol" => undef, "ExpectedNPNProtocol" => "bar", - "ExpectedServerName" => "server2", + "ExpectedServerName" => "server2", }, }, { diff --git a/deps/openssl/openssl/test/ssl-tests/09-alpn.conf b/deps/openssl/openssl/test/ssl-tests/09-alpn.conf index bb11102636..e7e6cb9534 100644 --- a/deps/openssl/openssl/test/ssl-tests/09-alpn.conf +++ b/deps/openssl/openssl/test/ssl-tests/09-alpn.conf @@ -615,3 +615,5 @@ ALPNProtocols = foo [15-alpn-no-client-support-resumption-client-extra] ALPNProtocols = foo + + diff --git a/deps/openssl/openssl/test/ssl-tests/09-alpn.conf.in b/deps/openssl/openssl/test/ssl-tests/09-alpn.conf.in index 41c9486fa5..37035f1d84 100644 --- a/deps/openssl/openssl/test/ssl-tests/09-alpn.conf.in +++ b/deps/openssl/openssl/test/ssl-tests/09-alpn.conf.in @@ -180,7 +180,7 @@ our @tests = ( name => "alpn-selected-sni-server-does-not-support-alpn", server => { extra => { - "ALPNProtocols" => "bar", + "ALPNProtocols" => "bar", "ServerNameCallback" => "IgnoreMismatch", }, }, diff --git a/deps/openssl/openssl/test/ssl-tests/10-resumption.conf b/deps/openssl/openssl/test/ssl-tests/10-resumption.conf index 4c79b0898e..b2deee4209 100644 --- a/deps/openssl/openssl/test/ssl-tests/10-resumption.conf +++ b/deps/openssl/openssl/test/ssl-tests/10-resumption.conf @@ -1332,3 +1332,5 @@ VerifyMode = Peer ExpectedProtocol = TLSv1.2 HandshakeMode = Resume ResumptionExpected = Yes + + diff --git a/deps/openssl/openssl/test/ssl-tests/11-dtls_resumption.conf b/deps/openssl/openssl/test/ssl-tests/11-dtls_resumption.conf index df28ecb1e7..ceed959744 100644 --- a/deps/openssl/openssl/test/ssl-tests/11-dtls_resumption.conf +++ b/deps/openssl/openssl/test/ssl-tests/11-dtls_resumption.conf @@ -608,3 +608,5 @@ ExpectedProtocol = DTLSv1.2 HandshakeMode = Resume Method = DTLS ResumptionExpected = Yes + + diff --git a/deps/openssl/openssl/test/ssl-tests/12-ct.conf b/deps/openssl/openssl/test/ssl-tests/12-ct.conf index 985292e900..2e6e9dea67 100644 --- a/deps/openssl/openssl/test/ssl-tests/12-ct.conf +++ b/deps/openssl/openssl/test/ssl-tests/12-ct.conf @@ -187,3 +187,5 @@ CTValidation = Strict [5-ct-strict-resumption-resume-client-extra] CTValidation = Strict + + diff --git a/deps/openssl/openssl/test/ssl-tests/13-fragmentation.conf b/deps/openssl/openssl/test/ssl-tests/13-fragmentation.conf index 02feb2c778..4c1e9e2b33 100644 --- a/deps/openssl/openssl/test/ssl-tests/13-fragmentation.conf +++ b/deps/openssl/openssl/test/ssl-tests/13-fragmentation.conf @@ -393,3 +393,5 @@ VerifyMode = Peer [test-15] ApplicationData = 4096 MaxFragmentSize = 4096 + + diff --git a/deps/openssl/openssl/test/ssl-tests/14-curves.conf b/deps/openssl/openssl/test/ssl-tests/14-curves.conf index 61b297053e..7f7ac4ba8d 100644 --- a/deps/openssl/openssl/test/ssl-tests/14-curves.conf +++ b/deps/openssl/openssl/test/ssl-tests/14-curves.conf @@ -783,3 +783,5 @@ VerifyMode = Peer [test-28] ExpectedResult = Success ExpectedTmpKeyType = X25519 + + diff --git a/deps/openssl/openssl/test/ssl-tests/15-certstatus.conf b/deps/openssl/openssl/test/ssl-tests/15-certstatus.conf index 770f024d13..bf6c41cda2 100644 --- a/deps/openssl/openssl/test/ssl-tests/15-certstatus.conf +++ b/deps/openssl/openssl/test/ssl-tests/15-certstatus.conf @@ -58,3 +58,5 @@ server = 1-certstatus-bad-server-extra [1-certstatus-bad-server-extra] CertStatus = BadResponse + + diff --git a/deps/openssl/openssl/test/ssl-tests/16-dtls-certstatus.conf b/deps/openssl/openssl/test/ssl-tests/16-dtls-certstatus.conf index eb55bbd71c..a561803a55 100644 --- a/deps/openssl/openssl/test/ssl-tests/16-dtls-certstatus.conf +++ b/deps/openssl/openssl/test/ssl-tests/16-dtls-certstatus.conf @@ -58,3 +58,5 @@ server = 1-certstatus-bad-server-extra [1-certstatus-bad-server-extra] CertStatus = BadResponse + + diff --git a/deps/openssl/openssl/test/ssl-tests/17-renegotiate.conf b/deps/openssl/openssl/test/ssl-tests/17-renegotiate.conf index 45a9d5864b..48f569fad6 100644 --- a/deps/openssl/openssl/test/ssl-tests/17-renegotiate.conf +++ b/deps/openssl/openssl/test/ssl-tests/17-renegotiate.conf @@ -424,3 +424,5 @@ ExpectedResult = ClientFail HandshakeMode = RenegotiateClient Method = TLS ResumptionExpected = No + + diff --git a/deps/openssl/openssl/test/ssl-tests/18-dtls-renegotiate.conf b/deps/openssl/openssl/test/ssl-tests/18-dtls-renegotiate.conf index d23a84a89b..3d8ebd74c4 100644 --- a/deps/openssl/openssl/test/ssl-tests/18-dtls-renegotiate.conf +++ b/deps/openssl/openssl/test/ssl-tests/18-dtls-renegotiate.conf @@ -272,3 +272,5 @@ client = 8-renegotiate-aead-to-aead-client-extra [8-renegotiate-aead-to-aead-client-extra] RenegotiateCiphers = AES256-GCM-SHA384 + + diff --git a/deps/openssl/openssl/test/ssl-tests/19-mac-then-encrypt.conf b/deps/openssl/openssl/test/ssl-tests/19-mac-then-encrypt.conf index 8626a06669..40480edbf8 100644 --- a/deps/openssl/openssl/test/ssl-tests/19-mac-then-encrypt.conf +++ b/deps/openssl/openssl/test/ssl-tests/19-mac-then-encrypt.conf @@ -152,3 +152,5 @@ VerifyMode = Peer [test-5] ExpectedResult = Success + + diff --git a/deps/openssl/openssl/test/ssl_test.tmpl b/deps/openssl/openssl/test/ssl_test.tmpl index 0517bff44f..9506837f84 100644 --- a/deps/openssl/openssl/test/ssl_test.tmpl +++ b/deps/openssl/openssl/test/ssl_test.tmpl @@ -92,35 +92,35 @@ client = {-$testname-}-client{- $OUT .= "\n[$testname-server-extra]\n"; foreach my $key (sort keys %{$server{"extra"}}) { $OUT .= qq{$key} . " = " . qq{$server{"extra"}{$key}\n} - if defined $server{"extra"}{$key}; + if defined $server{"extra"}{$key}; } } if (%server2 && $server2{"extra"}) { $OUT .= "\n[$testname-server2-extra]\n"; foreach my $key (sort keys %{$server2{"extra"}}) { $OUT .= qq{$key} . " = " . qq{$server2{"extra"}{$key}\n} - if defined $server2{"extra"}{$key}; + if defined $server2{"extra"}{$key}; } } if (%resume_server && $resume_server{"extra"}) { $OUT .= "\n[$testname-resume-server-extra]\n"; foreach my $key (sort keys %{$resume_server{"extra"}}) { $OUT .= qq{$key} . " = " . qq{$resume_server{"extra"}{$key}\n} - if defined $resume_server{"extra"}{$key}; + if defined $resume_server{"extra"}{$key}; } } if ($client{"extra"}) { $OUT .= "\n[$testname-client-extra]\n"; foreach my $key (sort keys %{$client{"extra"}}) { $OUT .= qq{$key} . " = " . qq{$client{"extra"}{$key}\n} - if defined $client{"extra"}{$key}; + if defined $client{"extra"}{$key}; } } if (%resume_client && $resume_client{"extra"}) { $OUT .= "\n[$testname-resume-client-extra]\n"; foreach my $key (sort keys %{$resume_client{"extra"}}) { $OUT .= qq{$key} . " = " . qq{$resume_client{"extra"}{$key}\n} - if defined $resume_client{"extra"}{$key}; + if defined $resume_client{"extra"}{$key}; } } -} diff --git a/deps/openssl/openssl/test/sslapitest.c b/deps/openssl/openssl/test/sslapitest.c index 77e8f2e9ad..8badd284e3 100644 --- a/deps/openssl/openssl/test/sslapitest.c +++ b/deps/openssl/openssl/test/sslapitest.c @@ -1208,6 +1208,61 @@ end: return testresult; } +static int test_ssl_pending(int tst) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + char msg[] = "A test message"; + char buf[5]; + size_t written; + + if (tst == 0) { + if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS_MAX_VERSION, + &sctx, &cctx, cert, privkey)) { + printf("Failed creating SSL_CTX pair\n"); + goto end; + } + } else { +#ifndef OPENSSL_NO_DTLS + if (!create_ssl_ctx_pair(DTLS_server_method(), DTLS_client_method(), + DTLS1_VERSION, DTLS_MAX_VERSION, + &sctx, &cctx, cert, privkey)) { + printf("Failed creating SSL_CTX pair\n"); + goto end; + } +#else + return 1; +#endif + } + + if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL) + || !create_ssl_connection(serverssl, clientssl)) { + printf("Failed creating connection\n"); + goto end; + } + + written = SSL_write(serverssl, msg, sizeof(msg)); + if (written != sizeof(msg) + || SSL_read(clientssl, buf, sizeof(buf)) != sizeof(buf) + || SSL_pending(clientssl) != (int)(written - sizeof(buf))) { + printf("Failed checking SSL_pending\n"); + goto end; + } + + testresult = 1; + + end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + + return testresult; +} + + int main(int argc, char *argv[]) { BIO *err = NULL; @@ -1244,6 +1299,7 @@ int main(int argc, char *argv[]) ADD_TEST(test_ssl_bio_change_wbio); ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2); ADD_ALL_TESTS(test_custom_exts, 2); + ADD_ALL_TESTS(test_ssl_pending, 2); testresult = run_tests(argv[0]); diff --git a/deps/openssl/openssl/test/verify_extra_test.c b/deps/openssl/openssl/test/verify_extra_test.c index cc05bc2ef1..fabc1dc59f 100644 --- a/deps/openssl/openssl/test/verify_extra_test.c +++ b/deps/openssl/openssl/test/verify_extra_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -137,6 +137,43 @@ static int test_alt_chains_cert_forgery(const char *roots_f, return ret; } +static int test_store_ctx(const char *bad_f) +{ + X509_STORE_CTX *sctx = NULL; + X509 *x = NULL; + BIO *bio = NULL; + int testresult = 0, ret; + + bio = BIO_new_file(bad_f, "r"); + if (bio == NULL) + goto err; + + x = PEM_read_bio_X509(bio, NULL, 0, NULL); + if (x == NULL) + goto err; + + sctx = X509_STORE_CTX_new(); + if (sctx == NULL) + goto err; + + if (!X509_STORE_CTX_init(sctx, NULL, x, NULL)) + goto err; + + /* Verifying a cert where we have no trusted certs should fail */ + ret = X509_verify_cert(sctx); + + if (ret == 0) { + /* This is the result we were expecting: Test passed */ + testresult = 1; + } + + err: + X509_STORE_CTX_free(sctx); + X509_free(x); + BIO_free(bio); + return testresult; +} + int main(int argc, char **argv) { CRYPTO_set_mem_debug(1); @@ -152,6 +189,11 @@ int main(int argc, char **argv) return 1; } + if (!test_store_ctx(argv[3])) { + fprintf(stderr, "Test X509_STORE_CTX failed\n"); + return 1; + } + #ifndef OPENSSL_NO_CRYPTO_MDEBUG if (CRYPTO_mem_leaks_fp(stderr) <= 0) return 1; diff --git a/deps/openssl/openssl/test/versions.c b/deps/openssl/openssl/test/versions.c new file mode 100644 index 0000000000..3ab05ec35d --- /dev/null +++ b/deps/openssl/openssl/test/versions.c @@ -0,0 +1,20 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <stdio.h> +#include <openssl/opensslv.h> +#include <openssl/crypto.h> + +/* A simple helper for the perl function OpenSSL::Test::openssl_versions */ +int main(void) +{ + printf("Build version: 0x%08lX\n", OPENSSL_VERSION_NUMBER); + printf("Library version: 0x%08lX\n", OpenSSL_version_num()); + return 0; +} diff --git a/deps/openssl/openssl/test/x509_dup_cert_test.c b/deps/openssl/openssl/test/x509_dup_cert_test.c new file mode 100644 index 0000000000..7f7adebbb0 --- /dev/null +++ b/deps/openssl/openssl/test/x509_dup_cert_test.c @@ -0,0 +1,70 @@ +/* + * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* ==================================================================== + * Copyright (c) 2017, 2018 Oracle and/or its affiliates. All rights reserved. + */ + +#include <stdio.h> +#include <openssl/err.h> +#include <openssl/x509_vfy.h> + +static int test_509_dup_cert(const char *cert_f) +{ + int ret = 0; + X509_STORE_CTX *sctx = NULL; + X509_STORE *store = NULL; + X509_LOOKUP *lookup = NULL; + + store = X509_STORE_new(); + if (store == NULL) + goto err; + + lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); + if (lookup == NULL) + goto err; + + if (!X509_load_cert_file(lookup, cert_f, X509_FILETYPE_PEM)) + goto err; + if (!X509_load_cert_file(lookup, cert_f, X509_FILETYPE_PEM)) + goto err; + + ret = 1; + + err: + X509_STORE_CTX_free(sctx); + X509_STORE_free(store); + if (ret != 1) + ERR_print_errors_fp(stderr); + return ret; +} + +int main(int argc, char **argv) +{ + CRYPTO_set_mem_debug(1); + CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); + + if (argc != 2) { + fprintf(stderr, "usage: x509_dup_cert_test cert.pem\n"); + return 1; + } + + if (!test_509_dup_cert(argv[1])) { + fprintf(stderr, "Test X509 duplicate cert failed\n"); + return 1; + } + +#ifndef OPENSSL_NO_CRYPTO_MDEBUG + if (CRYPTO_mem_leaks_fp(stderr) <= 0) + return 1; +#endif + + printf("PASS\n"); + return 0; +} diff --git a/deps/openssl/openssl/test/x509_time_test.c b/deps/openssl/openssl/test/x509_time_test.c new file mode 100644 index 0000000000..32d65c8761 --- /dev/null +++ b/deps/openssl/openssl/test/x509_time_test.c @@ -0,0 +1,212 @@ +/* + * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* Tests for X509 time functions */ + +#include <string.h> +#include <time.h> + +#include <openssl/asn1.h> +#include <openssl/x509.h> +#include "testutil.h" +#include "e_os.h" + +typedef struct { + const char *data; + int type; + time_t cmp_time; + /* -1 if asn1_time <= cmp_time, 1 if asn1_time > cmp_time, 0 if error. */ + int expected; +} TESTDATA; + +static TESTDATA x509_cmp_tests[] = { + { + "20170217180154Z", V_ASN1_GENERALIZEDTIME, + /* The same in seconds since epoch. */ + 1487354514, -1, + }, + { + "20170217180154Z", V_ASN1_GENERALIZEDTIME, + /* One second more. */ + 1487354515, -1, + }, + { + "20170217180154Z", V_ASN1_GENERALIZEDTIME, + /* One second less. */ + 1487354513, 1, + }, + /* Same as UTC time. */ + { + "170217180154Z", V_ASN1_UTCTIME, + /* The same in seconds since epoch. */ + 1487354514, -1, + }, + { + "170217180154Z", V_ASN1_UTCTIME, + /* One second more. */ + 1487354515, -1, + }, + { + "170217180154Z", V_ASN1_UTCTIME, + /* One second less. */ + 1487354513, 1, + }, + /* UTCTime from the 20th century. */ + { + "990217180154Z", V_ASN1_UTCTIME, + /* The same in seconds since epoch. */ + 919274514, -1, + }, + { + "990217180154Z", V_ASN1_UTCTIME, + /* One second more. */ + 919274515, -1, + }, + { + "990217180154Z", V_ASN1_UTCTIME, + /* One second less. */ + 919274513, 1, + }, + /* Various invalid formats. */ + { + /* No trailing Z. */ + "20170217180154", V_ASN1_GENERALIZEDTIME, 0, 0, + }, + { + /* No trailing Z, UTCTime. */ + "170217180154", V_ASN1_UTCTIME, 0, 0, + }, + { + /* No seconds. */ + "201702171801Z", V_ASN1_GENERALIZEDTIME, 0, 0, + }, + { + /* No seconds, UTCTime. */ + "1702171801Z", V_ASN1_UTCTIME, 0, 0, + }, + { + /* Fractional seconds. */ + "20170217180154.001Z", V_ASN1_GENERALIZEDTIME, 0, 0, + }, + { + /* Fractional seconds, UTCTime. */ + "170217180154.001Z", V_ASN1_UTCTIME, 0, 0, + }, + { + /* Timezone offset. */ + "20170217180154+0100", V_ASN1_GENERALIZEDTIME, 0, 0, + }, + { + /* Timezone offset, UTCTime. */ + "170217180154+0100", V_ASN1_UTCTIME, 0, 0, + }, + { + /* Extra digits. */ + "2017021718015400Z", V_ASN1_GENERALIZEDTIME, 0, 0, + }, + { + /* Extra digits, UTCTime. */ + "17021718015400Z", V_ASN1_UTCTIME, 0, 0, + }, + { + /* Non-digits. */ + "2017021718015aZ", V_ASN1_GENERALIZEDTIME, 0, 0, + }, + { + /* Non-digits, UTCTime. */ + "17021718015aZ", V_ASN1_UTCTIME, 0, 0, + }, + { + /* Trailing garbage. */ + "20170217180154Zlongtrailinggarbage", V_ASN1_GENERALIZEDTIME, 0, 0, + }, + { + /* Trailing garbage, UTCTime. */ + "170217180154Zlongtrailinggarbage", V_ASN1_UTCTIME, 0, 0, + }, + { + /* Swapped type. */ + "20170217180154Z", V_ASN1_UTCTIME, 0, 0, + }, + { + /* Swapped type. */ + "170217180154Z", V_ASN1_GENERALIZEDTIME, 0, 0, + }, + { + /* Bad type. */ + "20170217180154Z", V_ASN1_OCTET_STRING, 0, 0, + }, +}; + +static int test_x509_cmp_time(int idx) +{ + ASN1_TIME t; + int result; + + memset(&t, 0, sizeof(t)); + t.type = x509_cmp_tests[idx].type; + t.data = (unsigned char*)(x509_cmp_tests[idx].data); + t.length = strlen(x509_cmp_tests[idx].data); + + result = X509_cmp_time(&t, &x509_cmp_tests[idx].cmp_time); + if (result != x509_cmp_tests[idx].expected) { + fprintf(stderr, "test_x509_cmp_time(%d) failed: expected %d, got %d\n", + idx, x509_cmp_tests[idx].expected, result); + return 0; + } + return 1; +} + +static int test_x509_cmp_time_current() +{ + time_t now = time(NULL); + /* Pick a day earlier and later, relative to any system clock. */ + ASN1_TIME *asn1_before = NULL, *asn1_after = NULL; + int cmp_result, failed = 0; + + asn1_before = ASN1_TIME_adj(NULL, now, -1, 0); + asn1_after = ASN1_TIME_adj(NULL, now, 1, 0); + + cmp_result = X509_cmp_time(asn1_before, NULL); + if (cmp_result != -1) { + fprintf(stderr, "test_x509_cmp_time_current failed: expected -1, got %d\n", + cmp_result); + failed = 1; + } + + cmp_result = X509_cmp_time(asn1_after, NULL); + if (cmp_result != 1) { + fprintf(stderr, "test_x509_cmp_time_current failed: expected 1, got %d\n", + cmp_result); + failed = 1; + } + + ASN1_TIME_free(asn1_before); + ASN1_TIME_free(asn1_after); + + return failed == 0; +} + +int main(int argc, char **argv) +{ + int ret = 0; + unsigned int idx; + + if (!test_x509_cmp_time_current()) + ret = 1; + + for (idx=0 ; idx < OSSL_NELEM(x509_cmp_tests) ; ++idx) { + if (!test_x509_cmp_time(idx)) + ret = 1; + } + + if (ret == 0) + printf("PASS\n"); + return ret; +} diff --git a/deps/openssl/openssl/util/copy.pl b/deps/openssl/openssl/util/copy.pl index 01964f585e..fe1c908e68 100644 --- a/deps/openssl/openssl/util/copy.pl +++ b/deps/openssl/openssl/util/copy.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -18,6 +18,7 @@ use Fcntl; my $stripcr = 0; my $arg; +my @excludes = (); foreach $arg (@ARGV) { if ($arg eq "-stripcr") @@ -25,11 +26,16 @@ foreach $arg (@ARGV) { $stripcr = 1; next; } + if ($arg =~ /^-exclude_re=(.*)$/) + { + push @excludes, $1; + next; + } $arg =~ s|\\|/|g; # compensate for bug/feature in cygwin glob... $arg = qq("$arg") if ($arg =~ /\s/); # compensate for bug in 5.10... - foreach (glob $arg) + foreach my $f (glob $arg) { - push @filelist, $_; + push @filelist, $f unless grep { $f =~ /$_/ } @excludes; } } diff --git a/deps/openssl/openssl/util/dofile.pl b/deps/openssl/openssl/util/dofile.pl index fc72989b0f..4533c135a3 100644 --- a/deps/openssl/openssl/util/dofile.pl +++ b/deps/openssl/openssl/util/dofile.pl @@ -40,7 +40,7 @@ package OpenSSL::Template; use File::Basename; use File::Spec::Functions; use lib "$FindBin::Bin/perl"; -use with_fallback qw(Text::Template); +use with_fallback "Text::Template 1.46"; #use parent qw/Text::Template/; use vars qw/@ISA/; @@ -99,9 +99,9 @@ package main; # This adds quotes (") around the given string, and escapes any $, @, \, # " and ' by prepending a \ to them. sub quotify1 { - my $s = my $orig = shift @_; + my $s = shift @_; $s =~ s/([\$\@\\"'])/\\$1/g; - $s ne $orig || $s =~ /\s/ ? '"'.$s.'"' : $s; + '"'.$s.'"'; } # quotify_l LIST diff --git a/deps/openssl/openssl/util/echo.pl b/deps/openssl/openssl/util/echo.pl new file mode 100644 index 0000000000..d90e52129b --- /dev/null +++ b/deps/openssl/openssl/util/echo.pl @@ -0,0 +1,12 @@ +#! /usr/bin/perl + +use strict; +use warnings; +use Getopt::Std; + +our $opt_n = 0; + +getopts('n') or die "Invalid option: $!\n"; + +print join(' ', @ARGV); +print "\n" unless $opt_n; diff --git a/deps/openssl/openssl/util/fipslink.pl b/deps/openssl/openssl/util/fipslink.pl index 8248382c84..18a91532be 100644 --- a/deps/openssl/openssl/util/fipslink.pl +++ b/deps/openssl/openssl/util/fipslink.pl @@ -20,7 +20,7 @@ sub check_env my ($fips_cc,$fips_cc_args, $fips_link,$fips_target, $fips_libdir, $sha1_exe) = check_env("FIPS_CC", "FIPS_CC_ARGS", "FIPS_LINK", "FIPS_TARGET", - "FIPSLIB_D", "FIPS_SHA1_EXE"); + "FIPSLIB_D", "FIPS_SHA1_EXE"); @@ -109,5 +109,7 @@ sub check_hash $hashval =~ s/^.*=\s+//; die "Invalid hash syntax in file" if (length($hashfile) != 40); die "Invalid hash received for file" if (length($hashval) != 40); - die "***HASH VALUE MISMATCH FOR FILE $filename ***" if ($hashval ne $hashfile); + die "***HASH VALUE MISMATCH FOR FILE $filename ***" if ($hashval ne $hashfile); } + + diff --git a/deps/openssl/openssl/util/incore b/deps/openssl/openssl/util/incore index 8a88f81559..26fcf95033 100755 --- a/deps/openssl/openssl/util/incore +++ b/deps/openssl/openssl/util/incore @@ -65,7 +65,7 @@ # put aside e_machine in case one has to treat specific # platforms differently, see EM_ constants in elf.h for - # assortment... + # assortment... $self->{e_machine} = $elf_ehdr{e_machine}; ################################################# @@ -131,12 +131,12 @@ my $name; # (STT_OBJECT || STT_FUNC) if ($st_bind<3 && ($st_type==1 || $st_type==2) - && $st_secn <= $#sections # sane st_shndx + && $st_secn <= $#sections # sane st_shndx && @sections[$st_secn]->{sh_type} # not SHN_UNDEF && ($name=(split(chr(0),substr($strings,$elf_sym{st_name},128)))[0]) ) { # synthesize st_offset, ... - $elf_sym{st_offset} = $elf_sym{st_value} + $elf_sym{st_offset} = $elf_sym{st_value} - @sections[$st_secn]->{sh_addr} + @sections[$st_secn]->{sh_offset}; $elf_sym{st_name} = $name; diff --git a/deps/openssl/openssl/util/libcrypto.num b/deps/openssl/openssl/util/libcrypto.num index 8414d97ff1..51f1d7d654 100644 --- a/deps/openssl/openssl/util/libcrypto.num +++ b/deps/openssl/openssl/util/libcrypto.num @@ -4234,3 +4234,32 @@ CRYPTO_secure_clear_free 4315 1_1_0g EXIST::FUNCTION: EVP_PKEY_set1_engine 4347 1_1_0g EXIST::FUNCTION:ENGINE OCSP_resp_get0_signer 4374 1_1_0h EXIST::FUNCTION:OCSP X509_get0_authority_key_id 4448 1_1_0h EXIST::FUNCTION: +conf_ssl_name_find 4469 1_1_0i EXIST::FUNCTION: +conf_ssl_get_cmd 4470 1_1_0i EXIST::FUNCTION: +conf_ssl_get 4471 1_1_0i EXIST::FUNCTION: +X509_VERIFY_PARAM_get_hostflags 4472 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_get_get_by_fingerprint 4493 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_new 4494 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_get_init 4495 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_get_get_by_alias 4496 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_set_new_item 4497 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_set_shutdown 4498 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_get_new_item 4499 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_set_ctrl 4500 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_set_get_by_issuer_serial 4501 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_get_store 4502 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_get_ctrl 4503 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_set_get_by_alias 4504 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_get_get_by_subject 4505 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_get_free 4506 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_set_get_by_subject 4507 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_set_free 4508 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_get_shutdown 4509 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_set_method_data 4510 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_get_method_data 4511 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_set_get_by_fingerprint 4512 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_free 4513 1_1_0i EXIST::FUNCTION: +X509_OBJECT_set1_X509 4514 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_get_get_by_issuer_serial 4515 1_1_0i EXIST::FUNCTION: +X509_LOOKUP_meth_set_init 4516 1_1_0i EXIST::FUNCTION: +X509_OBJECT_set1_X509_CRL 4517 1_1_0i EXIST::FUNCTION: diff --git a/deps/openssl/openssl/util/local_shlib.com.in b/deps/openssl/openssl/util/local_shlib.com.in index a381872537..e49aa15c77 100644 --- a/deps/openssl/openssl/util/local_shlib.com.in +++ b/deps/openssl/openssl/util/local_shlib.com.in @@ -16,7 +16,7 @@ $ $ NAMES := {- join(",", keys %names); -} {- join("\n", map { "\$ __$_ = \"".$names{$_}."\"" } keys %names); --} +-} $ I = 0 $ LOOP: $ E = F$ELEMENT(I,",",NAMES) diff --git a/deps/openssl/openssl/util/mkdef.pl b/deps/openssl/openssl/util/mkdef.pl index 66db26c3b9..823cb664d0 100755 --- a/deps/openssl/openssl/util/mkdef.pl +++ b/deps/openssl/openssl/util/mkdef.pl @@ -252,6 +252,7 @@ $crypto.=" include/internal/o_dir.h"; $crypto.=" include/internal/o_str.h"; $crypto.=" include/internal/err.h"; $crypto.=" include/internal/asn1t.h"; +$crypto.=" include/internal/sslconf.h"; $crypto.=" include/openssl/des.h" ; # unless $no_des; $crypto.=" include/openssl/idea.h" ; # unless $no_idea; $crypto.=" include/openssl/rc4.h" ; # unless $no_rc4; @@ -1335,7 +1336,7 @@ EOF } elsif ($VMS) { print OUT ")\n"; (my $libvmaj, my $libvmin, my $libvedit) = - $currversion =~ /^(\d+)_(\d+)_(\d+)$/; + $currversion =~ /^(\d+)_(\d+)_(\d+)[a-z]{0,2}$/; # The reason to multiply the edit number with 100 is to make space # for the possibility that we want to encode the patch letters print OUT "GSMATCH=LEQUAL,",($libvmaj * 100 + $libvmin),",",($libvedit * 100),"\n"; diff --git a/deps/openssl/openssl/util/perl/OpenSSL/Test.pm b/deps/openssl/openssl/util/perl/OpenSSL/Test.pm index 5de7b58e8b..a6be487895 100644 --- a/deps/openssl/openssl/util/perl/OpenSSL/Test.pm +++ b/deps/openssl/openssl/util/perl/OpenSSL/Test.pm @@ -21,7 +21,8 @@ $VERSION = "0.8"; @EXPORT_OK = (@Test::More::EXPORT_OK, qw(bldtop_dir bldtop_file srctop_dir srctop_file data_file - pipe with cmdstr quotify)); + pipe with cmdstr quotify + openssl_versions)); =head1 NAME @@ -695,6 +696,32 @@ sub quotify { return map { $arg_formatter->($_) } @_; } +=over 4 + +=item B<openssl_versions> + +Returns a list of two numbers, the first representing the build version, +the second representing the library version. See opensslv.h for more +information on those numbers. + += back + +=cut + +my @versions = (); +sub openssl_versions { + unless (@versions) { + my %lines = + map { s/\R$//; + /^(.*): (0x[[:xdigit:]]{8})$/; + die "Weird line: $_" unless defined $1; + $1 => hex($2) } + run(test(['versions']), capture => 1); + @versions = ( $lines{'Build version'}, $lines{'Library version'} ); + } + return @versions; +} + ###################################################################### # private functions. These are never exported. diff --git a/deps/openssl/openssl/util/perl/TLSProxy/Message.pm b/deps/openssl/openssl/util/perl/TLSProxy/Message.pm index 10daba4b42..0821bdedd3 100644 --- a/deps/openssl/openssl/util/perl/TLSProxy/Message.pm +++ b/deps/openssl/openssl/util/perl/TLSProxy/Message.pm @@ -170,7 +170,7 @@ sub get_messages $startoffset = $recoffset; $recoffset += 4; $payload = ""; - + if ($recoffset <= $record->decrypt_len) { #Some payload data is present in this record if ($record->decrypt_len - $recoffset >= $messlen) { @@ -296,7 +296,7 @@ sub new $records, $startoffset, $message_frag_lens) = @_; - + my $self = { server => $server, data => $data, diff --git a/deps/openssl/openssl/util/perl/TLSProxy/Record.pm b/deps/openssl/openssl/util/perl/TLSProxy/Record.pm index ad942d4251..786ba0c72b 100644 --- a/deps/openssl/openssl/util/perl/TLSProxy/Record.pm +++ b/deps/openssl/openssl/util/perl/TLSProxy/Record.pm @@ -178,7 +178,7 @@ sub new $decrypt_len, $data, $decrypt_data) = @_; - + my $self = { flight => $flight, content_type => $content_type, diff --git a/deps/openssl/openssl/util/perl/TLSProxy/ServerHello.pm b/deps/openssl/openssl/util/perl/TLSProxy/ServerHello.pm index fd3fba5694..79a8be9a89 100644 --- a/deps/openssl/openssl/util/perl/TLSProxy/ServerHello.pm +++ b/deps/openssl/openssl/util/perl/TLSProxy/ServerHello.pm @@ -20,7 +20,7 @@ sub new $records, $startoffset, $message_frag_lens) = @_; - + my $self = $class->SUPER::new( $server, TLSProxy::Message::MT_SERVER_HELLO, @@ -66,7 +66,7 @@ sub parse my $extension_data; if ($extensions_len != 0) { $extension_data = substr($self->data, $ptr); - + if (length($extension_data) != $extensions_len) { die "Invalid extension length\n"; } diff --git a/deps/openssl/openssl/util/perl/TLSProxy/ServerKeyExchange.pm b/deps/openssl/openssl/util/perl/TLSProxy/ServerKeyExchange.pm index c011d2707a..6e5b4cdcb4 100644 --- a/deps/openssl/openssl/util/perl/TLSProxy/ServerKeyExchange.pm +++ b/deps/openssl/openssl/util/perl/TLSProxy/ServerKeyExchange.pm @@ -20,7 +20,7 @@ sub new $records, $startoffset, $message_frag_lens) = @_; - + my $self = $class->SUPER::new( $server, TLSProxy::Message::MT_SERVER_KEY_EXCHANGE, diff --git a/deps/openssl/openssl/util/perl/with_fallback.pm b/deps/openssl/openssl/util/perl/with_fallback.pm index 2af1d5fbd5..242365033f 100644 --- a/deps/openssl/openssl/util/perl/with_fallback.pm +++ b/deps/openssl/openssl/util/perl/with_fallback.pm @@ -1,4 +1,4 @@ -# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -8,15 +8,17 @@ package with_fallback; sub import { + shift; + use File::Basename; use File::Spec::Functions; foreach (@_) { - eval "require $_"; + eval "use $_"; if ($@) { unshift @INC, catdir(dirname(__FILE__), "..", "..", "external", "perl"); my $transfer = "transfer::$_"; - eval "require $transfer"; + eval "use $transfer"; shift @INC; warn $@ if $@; } diff --git a/deps/openssl/openssl/util/process_docs.pl b/deps/openssl/openssl/util/process_docs.pl index e084df78a5..f7daef0dd8 100755 --- a/deps/openssl/openssl/util/process_docs.pl +++ b/deps/openssl/openssl/util/process_docs.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -101,7 +101,7 @@ foreach my $subdir (keys %{$options{subdir}}) { my $suffix = { man => ".$podinfo{section}".($options{suffix} // ""), html => ".html" } -> {$options{type}}; my $generate = { man => "pod2man --name=$name --section=$podinfo{section} --center=OpenSSL --release=$config{version} \"$podpath\"", - html => "pod2html \"--podroot=$options{sourcedir}\" --htmldir=$updir --podpath=apps:crypto:ssl \"--infile=$podpath\" \"--title=$podname\"" + html => "pod2html \"--podroot=$options{sourcedir}\" --htmldir=$updir --podpath=apps:crypto:ssl \"--infile=$podpath\" \"--title=$podname\" --quiet" } -> {$options{type}}; my $output_dir = catdir($options{destdir}, "man$podinfo{section}"); my $output_file = $podname . $suffix; @@ -115,6 +115,32 @@ foreach my $subdir (keys %{$options{subdir}}) { @output = `$generate`; map { s|href="http://man\.he\.net/(man\d/[^"]+)(?:\.html)?"|href="../$1.html|g; } @output if $options{type} eq "html"; + if ($options{type} eq "man") { + # Because some *roff parsers are more strict than others, + # multiple lines in the NAME section must be merged into + # one. + my $in_name = 0; + my $name_line = ""; + my @newoutput = (); + foreach (@output) { + if ($in_name) { + if (/^\.SH "/) { + $in_name = 0; + push @newoutput, $name_line."\n"; + } else { + chomp (my $x = $_); + $name_line .= " " if $name_line; + $name_line .= $x; + next; + } + } + if (/^\.SH +"NAME" *$/) { + $in_name = 1; + } + push @newoutput, $_; + } + @output = @newoutput; + } } print STDERR "DEBUG: Done processing\n" if $options{debug}; @@ -238,7 +264,7 @@ Print extra debugging output. =head1 COPYRIGHT -Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy |